diff options
| author | Sami Hiltunen <shiltunen@gitlab.com> | 2023-02-09 12:57:58 +0300 |
|---|---|---|
| committer | Sami Hiltunen <shiltunen@gitlab.com> | 2023-02-09 12:57:58 +0300 |
| commit | 82b91f68bd600794a363ee0b9e72197b0ca2e6f2 (patch) | |
| tree | 5a50ea6fc9307fba3959a7d3e785f3e620848c7f | |
| parent | 4a6f31c9182921e5ca14e1b273e8440e510fb403 (diff) | |
| parent | 57128d1963efe62f9e4b39b4ee9a95721c0c0a5f (diff) | |
Merge branch 'extract_file_permissions' into 'master'
Extract file and executable permissions to perm package
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/5359
Merged-by: Sami Hiltunen <shiltunen@gitlab.com>
Approved-by: karthik nayak <knayak@gitlab.com>
Reviewed-by: karthik nayak <knayak@gitlab.com>
Co-authored-by: James Fargher <jfargher@gitlab.com>
82 files changed, 341 insertions, 270 deletions
diff --git a/cmd/gitaly-wrapper/main_test.go b/cmd/gitaly-wrapper/main_test.go index 5a78f90a1..9eb53340d 100644 --- a/cmd/gitaly-wrapper/main_test.go +++ b/cmd/gitaly-wrapper/main_test.go @@ -16,6 +16,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/bootstrap" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" ) @@ -69,7 +70,7 @@ func TestFindProcess(t *testing.T) { t.Parallel() path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, []byte("garbage"), 0o644)) + require.NoError(t, os.WriteFile(path, []byte("garbage"), perm.SharedFile)) _, err := findProcess(path) _, expectedErr := strconv.Atoi("garbage") @@ -82,7 +83,7 @@ func TestFindProcess(t *testing.T) { // The below PID can exist, but chances are sufficiently low to hopefully not matter // in practice. path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, []byte("7777777"), 0o644)) + require.NoError(t, os.WriteFile(path, []byte("7777777"), perm.SharedFile)) // The process isn't alive, so we expect neither an error nor a process to be // returned. @@ -117,7 +118,7 @@ func TestFindProcess(t *testing.T) { require.NoError(t, err) path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, []byte(strconv.FormatInt(int64(cmd.Process.Pid), 10)), 0o644)) + require.NoError(t, os.WriteFile(path, []byte(strconv.FormatInt(int64(cmd.Process.Pid), 10)), perm.SharedFile)) process, err := findProcess(path) require.NotNil(t, process) @@ -175,7 +176,7 @@ func TestReadPIDFile(t *testing.T) { t.Parallel() path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, nil, 0o644)) + require.NoError(t, os.WriteFile(path, nil, perm.SharedFile)) _, err := readPIDFile(path) _, expectedErr := strconv.Atoi("") require.Equal(t, expectedErr, err) @@ -185,7 +186,7 @@ func TestReadPIDFile(t *testing.T) { t.Parallel() path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, []byte("invalid"), 0o644)) + require.NoError(t, os.WriteFile(path, []byte("invalid"), perm.SharedFile)) _, err := readPIDFile(path) _, expectedErr := strconv.Atoi("invalid") require.Equal(t, expectedErr, err) @@ -195,7 +196,7 @@ func TestReadPIDFile(t *testing.T) { t.Parallel() path := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(path, []byte("12345"), 0o644)) + require.NoError(t, os.WriteFile(path, []byte("12345"), perm.SharedFile)) pid, err := readPIDFile(path) require.NoError(t, err) require.Equal(t, 12345, pid) @@ -348,7 +349,7 @@ func TestRun(t *testing.T) { // Write the PID of the running process into the PID file. As a result, it should // get adopted by gitaly-wrapper, which means it wouldn't try to execute it anew. pidPath := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(pidPath, []byte(strconv.FormatInt(int64(scriptCmd.Process.Pid), 10)), 0o644)) + require.NoError(t, os.WriteFile(pidPath, []byte(strconv.FormatInt(int64(scriptCmd.Process.Pid), 10)), perm.SharedFile)) // Run gitaly-script with a binary path whose basename matches, but which ultimately // doesn't exist. This proves that it doesn't try to execute the script again. @@ -412,7 +413,7 @@ func TestRun(t *testing.T) { `)) pidPath := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(pidPath, []byte("12345"), 0o644)) + require.NoError(t, os.WriteFile(pidPath, []byte("12345"), perm.SharedFile)) cmd := exec.CommandContext(ctx, binary, script) cmd.Env = append(os.Environ(), fmt.Sprintf("%s=%s", bootstrap.EnvPidFile, pidPath)) @@ -443,7 +444,7 @@ func TestRun(t *testing.T) { require.NoError(t, err) pidPath := filepath.Join(testhelper.TempDir(t), "pid") - require.NoError(t, os.WriteFile(pidPath, []byte(strconv.FormatInt(int64(scriptCmd.Process.Pid), 10)), 0o644)) + require.NoError(t, os.WriteFile(pidPath, []byte(strconv.FormatInt(int64(scriptCmd.Process.Pid), 10)), perm.SharedFile)) cmd := exec.CommandContext(ctx, binary, script) cmd.Env = append(os.Environ(), fmt.Sprintf("%s=%s", bootstrap.EnvPidFile, pidPath)) diff --git a/cmd/gitaly/check_test.go b/cmd/gitaly/check_test.go index 19f5a3ea1..b880e5275 100644 --- a/cmd/gitaly/check_test.go +++ b/cmd/gitaly/check_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitlab" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" ) @@ -113,7 +114,7 @@ func writeTemporaryGitalyConfigFile(tb testing.TB, cfg config.Cfg) string { contents, err := toml.Marshal(cfg) require.NoError(tb, err) - require.NoError(tb, os.WriteFile(path, contents, 0o644)) + require.NoError(tb, os.WriteFile(path, contents, perm.SharedFile)) return path } diff --git a/internal/backup/backup_test.go b/internal/backup/backup_test.go index 8bf225ff1..753af831e 100644 --- a/internal/backup/backup_test.go +++ b/internal/backup/backup_test.go @@ -61,7 +61,7 @@ func TestManager_Create(t *testing.T) { Seed: gittest.SeedGitLabTest, }) require.NoError(tb, os.Mkdir(filepath.Join(hooksRepoPath, "custom_hooks"), perm.PublicDir)) - require.NoError(tb, os.WriteFile(filepath.Join(hooksRepoPath, "custom_hooks/pre-commit.sample"), []byte("Some hooks"), os.ModePerm)) + require.NoError(tb, os.WriteFile(filepath.Join(hooksRepoPath, "custom_hooks/pre-commit.sample"), []byte("Some hooks"), perm.PublicFile)) return hooksRepo, hooksRepoPath }, createsBundle: true, @@ -122,11 +122,11 @@ func TestManager_Create(t *testing.T) { dirInfo, err := os.Stat(filepath.Dir(bundlePath)) require.NoError(t, err) - require.Equal(t, os.FileMode(0o700), dirInfo.Mode().Perm(), "expecting restricted directory permissions") + require.Equal(t, perm.PrivateDir, dirInfo.Mode().Perm(), "expecting restricted directory permissions") bundleInfo, err := os.Stat(bundlePath) require.NoError(t, err) - require.Equal(t, os.FileMode(0o600), bundleInfo.Mode().Perm(), "expecting restricted file permissions") + require.Equal(t, perm.PrivateFile, bundleInfo.Mode().Perm(), "expecting restricted file permissions") output := gittest.Exec(t, cfg, "-C", repoPath, "bundle", "verify", bundlePath) require.Contains(t, string(output), "The bundle records a complete history") @@ -189,10 +189,10 @@ func TestManager_Create_incremental(t *testing.T) { gittest.Exec(tb, cfg, "-C", repoPath, "bundle", "create", bundlePath, "--all") refs := gittest.Exec(tb, cfg, "-C", repoPath, "show-ref", "--head") - require.NoError(tb, os.WriteFile(refsPath, refs, os.ModePerm)) + require.NoError(tb, os.WriteFile(refsPath, refs, perm.PublicFile)) - require.NoError(tb, os.WriteFile(filepath.Join(backupRepoPath, "LATEST"), []byte(backupID), os.ModePerm)) - require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), os.ModePerm)) + require.NoError(tb, os.WriteFile(filepath.Join(backupRepoPath, "LATEST"), []byte(backupID), perm.PublicFile)) + require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), perm.PublicFile)) return repo, repoPath }, @@ -214,10 +214,10 @@ func TestManager_Create_incremental(t *testing.T) { gittest.Exec(tb, cfg, "-C", repoPath, "bundle", "create", bundlePath, "--all") refs := gittest.Exec(tb, cfg, "-C", repoPath, "show-ref", "--head") - require.NoError(tb, os.WriteFile(refsPath, refs, os.ModePerm)) + require.NoError(tb, os.WriteFile(refsPath, refs, perm.PublicFile)) - require.NoError(tb, os.WriteFile(filepath.Join(backupRepoPath, "LATEST"), []byte(backupID), os.ModePerm)) - require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), os.ModePerm)) + require.NoError(tb, os.WriteFile(filepath.Join(backupRepoPath, "LATEST"), []byte(backupID), perm.PublicFile)) + require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), perm.PublicFile)) gittest.WriteCommit(tb, cfg, repoPath, gittest.WithBranch("master")) @@ -381,8 +381,8 @@ func testManagerRestore(t *testing.T, ctx context.Context) { repoBackupPath := joinBackupPath(tb, backupRoot, repo) backupPath := filepath.Join(repoBackupPath, backupID) require.NoError(tb, os.MkdirAll(backupPath, perm.PublicDir)) - require.NoError(tb, os.WriteFile(filepath.Join(repoBackupPath, "LATEST"), []byte(backupID), os.ModePerm)) - require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), os.ModePerm)) + require.NoError(tb, os.WriteFile(filepath.Join(repoBackupPath, "LATEST"), []byte(backupID), perm.PublicFile)) + require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("001"), perm.PublicFile)) bundlePath := filepath.Join(backupPath, "001.bundle") gittest.BundleRepo(tb, cfg, repoPath, bundlePath) @@ -402,8 +402,8 @@ func testManagerRestore(t *testing.T, ctx context.Context) { repoBackupPath := joinBackupPath(tb, backupRoot, repo) backupPath := filepath.Join(repoBackupPath, backupID) require.NoError(tb, os.MkdirAll(backupPath, perm.PublicDir)) - require.NoError(tb, os.WriteFile(filepath.Join(repoBackupPath, "LATEST"), []byte(backupID), os.ModePerm)) - require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("002"), os.ModePerm)) + require.NoError(tb, os.WriteFile(filepath.Join(repoBackupPath, "LATEST"), []byte(backupID), perm.PublicFile)) + require.NoError(tb, os.WriteFile(filepath.Join(backupPath, "LATEST"), []byte("002"), perm.PublicFile)) root := gittest.WriteCommit(tb, cfg, expectedRepoPath, gittest.WithBranch("master"), @@ -533,7 +533,7 @@ func TestResolveSink(t *testing.T) { "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/303724477529-compute%40developer.gserviceaccount.com" -}`), 0o655)) +}`), perm.SharedFile)) for _, tc := range []struct { desc string diff --git a/internal/backup/filesystem_sink.go b/internal/backup/filesystem_sink.go index e9dad6188..f97a409e9 100644 --- a/internal/backup/filesystem_sink.go +++ b/internal/backup/filesystem_sink.go @@ -32,7 +32,7 @@ func (fs *FilesystemSink) Write(ctx context.Context, relativePath string, r io.R return fmt.Errorf("create directory structure %q: %w", dir, err) } - f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) + f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, perm.PrivateFile) if err != nil { return fmt.Errorf("write file %q: %w", path, err) } diff --git a/internal/backup/filesystem_sink_test.go b/internal/backup/filesystem_sink_test.go index 7e4025851..fbb6b67b7 100644 --- a/internal/backup/filesystem_sink_test.go +++ b/internal/backup/filesystem_sink_test.go @@ -24,7 +24,7 @@ func TestFilesystemSink_GetReader(t *testing.T) { dir := testhelper.TempDir(t) const relativePath = "test.dat" - require.NoError(t, os.WriteFile(filepath.Join(dir, relativePath), []byte("test"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(dir, relativePath), []byte("test"), perm.SharedFile)) fsSink := NewFilesystemSink(dir) reader, err := fsSink.GetReader(ctx, relativePath) @@ -79,7 +79,7 @@ func TestFilesystemSink_Write(t *testing.T) { fullPath := filepath.Join(dir, relativePath) require.NoError(t, os.MkdirAll(filepath.Dir(fullPath), perm.SharedDir)) - require.NoError(t, os.WriteFile(fullPath, []byte("initial"), 0o655)) + require.NoError(t, os.WriteFile(fullPath, []byte("initial"), perm.SharedFile)) fsSink := NewFilesystemSink(dir) require.NoError(t, fsSink.Write(ctx, relativePath, strings.NewReader("test"))) @@ -96,7 +96,7 @@ func TestFilesystemSink_Write(t *testing.T) { dir := testhelper.TempDir(t) const relativePath = "nested/test.dat" - require.NoError(t, os.WriteFile(filepath.Join(dir, "nested"), []byte("lock"), os.ModePerm)) + require.NoError(t, os.WriteFile(filepath.Join(dir, "nested"), []byte("lock"), perm.PublicFile)) fsSink := NewFilesystemSink(dir) err := fsSink.Write(ctx, relativePath, strings.NewReader("test")) diff --git a/internal/backup/locator_test.go b/internal/backup/locator_test.go index fb8802b6c..4096cb135 100644 --- a/internal/backup/locator_test.go +++ b/internal/backup/locator_test.go @@ -193,8 +193,8 @@ func TestPointerLocator(t *testing.T) { require.ErrorIs(t, err, ErrDoesntExist) require.NoError(t, os.MkdirAll(filepath.Join(backupPath, repo.RelativePath, backupID), perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("003"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("003"), perm.SharedFile)) expected := &Backup{ Steps: []Step{ { @@ -247,8 +247,8 @@ func TestPointerLocator(t *testing.T) { require.Equal(t, expectedFallback, fallbackFull) require.NoError(t, os.MkdirAll(filepath.Join(backupPath, repo.RelativePath, backupID), perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("001"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("001"), perm.SharedFile)) expected := &Backup{ Steps: []Step{ { @@ -276,7 +276,7 @@ func TestPointerLocator(t *testing.T) { require.ErrorIs(t, err, ErrDoesntExist) require.NoError(t, os.MkdirAll(filepath.Join(backupPath, repo.RelativePath), perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte("invalid"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte("invalid"), perm.SharedFile)) _, err = l.FindLatest(ctx, repo) require.EqualError(t, err, "pointer locator: find latest: find: find latest ID: filesystem sink: get reader for \"TestPointerLocator/invalid/LATEST\": doesn't exist") }) @@ -293,8 +293,8 @@ func TestPointerLocator(t *testing.T) { require.ErrorIs(t, err, ErrDoesntExist) require.NoError(t, os.MkdirAll(filepath.Join(backupPath, repo.RelativePath, backupID), perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("invalid"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, "LATEST"), []byte(backupID), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(backupPath, repo.RelativePath, backupID, "LATEST"), []byte("invalid"), perm.SharedFile)) _, err = l.FindLatest(ctx, repo) require.EqualError(t, err, "pointer locator: find latest: find: determine increment ID: strconv.Atoi: parsing \"invalid\": invalid syntax") diff --git a/internal/bootstrap/bootstrap_test.go b/internal/bootstrap/bootstrap_test.go index 0b3eae895..61f1f0efd 100644 --- a/internal/bootstrap/bootstrap_test.go +++ b/internal/bootstrap/bootstrap_test.go @@ -13,6 +13,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/helper" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -77,7 +78,7 @@ func TestBootstrap_unixListener(t *testing.T) { require.NoError(t, err) if tc.preexistingSocket { - require.NoError(t, os.WriteFile(socketPath, nil, 0o755)) + require.NoError(t, os.WriteFile(socketPath, nil, perm.SharedExecutable)) } listener, err := b.listen("unix", socketPath) diff --git a/internal/cache/walker_test.go b/internal/cache/walker_test.go index d587dae74..0d1722fc5 100644 --- a/internal/cache/walker_test.go +++ b/internal/cache/walker_test.go @@ -79,7 +79,7 @@ func TestDiskCacheInitialClear(t *testing.T) { canary := filepath.Join(cacheDir, "canary.txt") require.NoError(t, os.MkdirAll(filepath.Dir(canary), perm.SharedDir)) - require.NoError(t, os.WriteFile(canary, []byte("chirp chirp"), 0o755)) + require.NoError(t, os.WriteFile(canary, []byte("chirp chirp"), perm.SharedExecutable)) cache := New(cfg, locator, withDisabledWalker()) require.NoError(t, cache.StartWalkers()) @@ -116,7 +116,7 @@ func TestCleanWalkEmptyDirs(t *testing.T) { if strings.HasSuffix(tt.path, "/") { require.NoError(t, os.MkdirAll(p, perm.SharedDir)) } else { - require.NoError(t, os.WriteFile(p, nil, 0o655)) + require.NoError(t, os.WriteFile(p, nil, perm.SharedFile)) if tt.stale { require.NoError(t, os.Chtimes(p, time.Now(), time.Now().Add(-time.Hour))) } diff --git a/internal/cgroups/mock_linux_test.go b/internal/cgroups/mock_linux_test.go index 6857429c7..d54add8d0 100644 --- a/internal/cgroups/mock_linux_test.go +++ b/internal/cgroups/mock_linux_test.go @@ -101,7 +101,7 @@ func (m *mockCgroup) setupMockCgroupFiles( for filename, content := range contentByFilename { controlFilePath := filepath.Join(cgroupPath, filename) - require.NoError(t, os.WriteFile(controlFilePath, []byte(content), 0o644)) + require.NoError(t, os.WriteFile(controlFilePath, []byte(content), perm.SharedFile)) } for shard := uint(0); shard < manager.cfg.Repositories.Count; shard++ { @@ -110,7 +110,7 @@ func (m *mockCgroup) setupMockCgroupFiles( for filename, content := range contentByFilename { shardControlFilePath := filepath.Join(shardPath, filename) - require.NoError(t, os.WriteFile(shardControlFilePath, []byte(content), 0o644)) + require.NoError(t, os.WriteFile(shardControlFilePath, []byte(content), perm.SharedFile)) } } } diff --git a/internal/cgroups/v1_linux_test.go b/internal/cgroups/v1_linux_test.go index cb249f64d..7f56d87e1 100644 --- a/internal/cgroups/v1_linux_test.go +++ b/internal/cgroups/v1_linux_test.go @@ -15,6 +15,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config/cgroups" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -221,7 +222,7 @@ func readCgroupFile(t *testing.T, path string) []byte { // The cgroups package defaults to permission 0 as it expects the file to be existing (the kernel creates the file) // and its testing override the permission private variable to something sensible, hence we have to chmod ourselves // so we can read the file. - require.NoError(t, os.Chmod(path, 0o666)) + require.NoError(t, os.Chmod(path, perm.PublicFile)) return testhelper.MustReadFile(t, path) } diff --git a/internal/git/conflict/parser_test.go b/internal/git/conflict/parser_test.go index 52c308320..5b3eccff6 100644 --- a/internal/git/conflict/parser_test.go +++ b/internal/git/conflict/parser_test.go @@ -6,6 +6,7 @@ import ( "testing" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) func TestFile_Resolve(t *testing.T) { @@ -111,7 +112,7 @@ we can both agree on this line though t.Run(tt.name, func(t *testing.T) { entry := Entry{ Path: tt.path, - Mode: 0o644, + Mode: uint(perm.SharedFile), Contents: []byte("something-with-trailing-newline\n"), } diff --git a/internal/git/dirs_test.go b/internal/git/dirs_test.go index ae1d7c138..0ebe4292d 100644 --- a/internal/git/dirs_test.go +++ b/internal/git/dirs_test.go @@ -73,7 +73,7 @@ func TestObjectDirsOutsideStorage(t *testing.T) { t.Run(tc.desc, func(t *testing.T) { ctx := testhelper.Context(t) - require.NoError(t, os.WriteFile(alternatesFile, []byte(tc.alternates), 0o600)) + require.NoError(t, os.WriteFile(alternatesFile, []byte(tc.alternates), perm.PrivateFile)) out, err := ObjectDirectories(ctx, storageRoot, repoPath) require.Equal(t, expectedErr, err) require.Nil(t, out) diff --git a/internal/git/execution_environment_test.go b/internal/git/execution_environment_test.go index a4b8987c7..59aea70bd 100644 --- a/internal/git/execution_environment_test.go +++ b/internal/git/execution_environment_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -73,7 +74,7 @@ func TestBundledGitEnvironmentConstructor(t *testing.T) { seedDirWithExecutables := func(t *testing.T, executableNames ...string) string { dir := testhelper.TempDir(t) for _, executableName := range executableNames { - require.NoError(t, os.WriteFile(filepath.Join(dir, executableName), nil, 0o777)) + require.NoError(t, os.WriteFile(filepath.Join(dir, executableName), nil, perm.PublicExecutable)) } return dir } @@ -241,7 +242,7 @@ func TestFallbackGitEnvironmentConstructor(t *testing.T) { t.Run("successfully resolved executable", func(t *testing.T) { tempDir := testhelper.TempDir(t) gitPath := filepath.Join(tempDir, "git") - require.NoError(t, os.WriteFile(gitPath, nil, 0o755)) + require.NoError(t, os.WriteFile(gitPath, nil, perm.SharedExecutable)) t.Setenv("PATH", "/does/not/exist:"+tempDir) diff --git a/internal/git/gitattributes/check_attr_test.go b/internal/git/gitattributes/check_attr_test.go index b39003110..3b2a0fd01 100644 --- a/internal/git/gitattributes/check_attr_test.go +++ b/internal/git/gitattributes/check_attr_test.go @@ -139,7 +139,7 @@ func TestCheckAttrCmd_Check(t *testing.T) { }, } { t.Run(tc.desc, func(t *testing.T) { - require.NoError(t, os.WriteFile(attrPath, []byte(tc.attrContent), 0o644)) + require.NoError(t, os.WriteFile(attrPath, []byte(tc.attrContent), perm.SharedFile)) checkCmd, finish, err := CheckAttr(ctx, repo, []string{"foo", "bar"}) require.NoError(t, err) diff --git a/internal/git/gittest/http_server.go b/internal/git/gittest/http_server.go index ef3fd14fd..c69c9aa6f 100644 --- a/internal/git/gittest/http_server.go +++ b/internal/git/gittest/http_server.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -18,7 +19,7 @@ import ( // prepared such that git-http-backend(1) will serve it by creating the "git-daemon-export-ok" magic // file. func HTTPServer(tb testing.TB, ctx context.Context, gitCmdFactory git.CommandFactory, repoPath string, middleware func(http.ResponseWriter, *http.Request, http.Handler)) int { - require.NoError(tb, os.WriteFile(filepath.Join(repoPath, "git-daemon-export-ok"), nil, 0o644)) + require.NoError(tb, os.WriteFile(filepath.Join(repoPath, "git-daemon-export-ok"), nil, perm.SharedFile)) listener, err := net.Listen("tcp", "127.0.0.1:0") require.NoError(tb, err) diff --git a/internal/git/housekeeping/clean_stale_data.go b/internal/git/housekeeping/clean_stale_data.go index 4c5911643..5d896ea4f 100644 --- a/internal/git/housekeeping/clean_stale_data.go +++ b/internal/git/housekeeping/clean_stale_data.go @@ -15,6 +15,7 @@ import ( log "github.com/sirupsen/logrus" "gitlab.com/gitlab-org/gitaly/v15/internal/git" "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "google.golang.org/grpc/codes" @@ -24,7 +25,7 @@ const ( emptyRefsGracePeriod = 24 * time.Hour deleteTempFilesOlderThanDuration = 7 * 24 * time.Hour brokenRefsGracePeriod = 24 * time.Hour - minimumDirPerm = 0o700 + minimumDirPerm = perm.PrivateDir lockfileGracePeriod = 15 * time.Minute referenceLockfileGracePeriod = 1 * time.Hour packedRefsLockGracePeriod = 1 * time.Hour diff --git a/internal/git/housekeeping/clean_stale_data_test.go b/internal/git/housekeeping/clean_stale_data_test.go index 3352764da..3a7c468d8 100644 --- a/internal/git/housekeeping/clean_stale_data_test.go +++ b/internal/git/housekeeping/clean_stale_data_test.go @@ -49,7 +49,7 @@ func (f *fileEntry) create(t *testing.T, parent string) { t.Helper() filename := filepath.Join(parent, f.name) - ff, err := os.OpenFile(filename, os.O_RDONLY|os.O_CREATE, 0o700) + ff, err := os.OpenFile(filename, os.O_RDONLY|os.O_CREATE, perm.PrivateFile) assert.NoError(t, err, "file creation failed: %v", filename) err = ff.Close() assert.NoError(t, err, "file close failed: %v", filename) @@ -185,18 +185,18 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "clean", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - f("a", 0o700, 24*time.Hour, Keep), - f("b", 0o700, 24*time.Hour, Keep), - f("c", 0o700, 24*time.Hour, Keep), + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + f("a", perm.PrivateFile, 24*time.Hour, Keep), + f("b", perm.PrivateFile, 24*time.Hour, Keep), + f("c", perm.PrivateFile, 24*time.Hour, Keep), ), }, }, { name: "emptyperms", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - f("b", 0o700, 24*time.Hour, Keep), + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + f("b", perm.PrivateFile, 24*time.Hour, Keep), f("tmp_a", 0o000, 2*time.Hour, Keep), ), }, @@ -204,18 +204,18 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "emptytempdir", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, + d("objects", perm.PrivateDir, 240*time.Hour, Keep, d("tmp_d", 0o000, 240*time.Hour, Keep), - f("b", 0o700, 24*time.Hour, Keep), + f("b", perm.PrivateFile, 24*time.Hour, Keep), ), }, }, { name: "oldtempfile", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - f("tmp_a", 0o770, 240*time.Hour, Delete), - f("b", 0o700, 24*time.Hour, Keep), + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + f("tmp_a", perm.SharedFile, 240*time.Hour, Delete), + f("b", perm.PrivateFile, 24*time.Hour, Keep), ), }, expectedMetrics: cleanStaleDataMetrics{ @@ -225,9 +225,9 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "subdir temp file", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - d("a", 0o770, 240*time.Hour, Keep, - f("tmp_b", 0o700, 240*time.Hour, Delete), + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + d("a", perm.GroupPrivateDir, 240*time.Hour, Keep, + f("tmp_b", perm.PrivateFile, 240*time.Hour, Delete), ), ), }, @@ -238,9 +238,9 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "inaccessible tmp directory", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, + d("objects", perm.PrivateDir, 240*time.Hour, Keep, d("tmp_a", 0o000, 240*time.Hour, Keep, - f("tmp_b", 0o700, 240*time.Hour, Delete), + f("tmp_b", perm.PrivateFile, 240*time.Hour, Delete), ), ), }, @@ -248,9 +248,9 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "deeply nested inaccessible tmp directory", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - d("tmp_a", 0o700, 240*time.Hour, Keep, - d("tmp_a", 0o700, 24*time.Hour, Keep, + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + d("tmp_a", perm.PrivateDir, 240*time.Hour, Keep, + d("tmp_a", perm.PrivateDir, 24*time.Hour, Keep, f("tmp_b", 0o000, 240*time.Hour, Delete), ), ), @@ -263,9 +263,9 @@ func TestRepositoryManager_CleanStaleData(t *testing.T) { { name: "files outside of object database", entries: []entry{ - f("tmp_a", 0o770, 240*time.Hour, Keep), - d("info", 0o700, 240*time.Hour, Keep, - f("tmp_a", 0o770, 240*time.Hour, Keep), + f("tmp_a", perm.SharedFile, 240*time.Hour, Keep), + d("info", perm.PrivateDir, 240*time.Hour, Keep, + f("tmp_a", perm.SharedFile, 240*time.Hour, Keep), ), }, }, @@ -395,7 +395,7 @@ func TestRepositoryManager_CleanStaleData_references(t *testing.T) { path := filepath.Join(repoPath, ref.name) require.NoError(t, os.MkdirAll(filepath.Dir(path), perm.SharedDir)) - require.NoError(t, os.WriteFile(path, bytes.Repeat([]byte{0}, ref.size), 0o644)) + require.NoError(t, os.WriteFile(path, bytes.Repeat([]byte{0}, ref.size), perm.SharedFile)) filetime := time.Now().Add(-ref.age) require.NoError(t, os.Chtimes(path, filetime, filetime)) } @@ -431,30 +431,30 @@ func TestRepositoryManager_CleanStaleData_emptyRefDirs(t *testing.T) { { name: "unrelated empty directories", entries: []entry{ - d("objects", 0o700, 240*time.Hour, Keep, - d("empty", 0o700, 240*time.Hour, Keep), + d("objects", perm.PrivateDir, 240*time.Hour, Keep, + d("empty", perm.PrivateDir, 240*time.Hour, Keep), ), }, }, { name: "empty ref dir gets retained", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep), + d("refs", perm.PrivateDir, 240*time.Hour, Keep), }, }, { name: "empty nested non-stale ref dir gets kept", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep, - d("nested", 0o700, 23*time.Hour, Keep), + d("refs", perm.PrivateDir, 240*time.Hour, Keep, + d("nested", perm.PrivateDir, 23*time.Hour, Keep), ), }, }, { name: "empty nested stale ref dir gets pruned", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep, - d("nested", 0o700, 240*time.Hour, Delete), + d("refs", perm.PrivateDir, 240*time.Hour, Keep, + d("nested", perm.PrivateDir, 240*time.Hour, Delete), ), }, expectedMetrics: cleanStaleDataMetrics{ @@ -464,9 +464,9 @@ func TestRepositoryManager_CleanStaleData_emptyRefDirs(t *testing.T) { { name: "hierarchy of nested stale ref dirs gets pruned", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep, - d("first", 0o700, 240*time.Hour, Delete, - d("second", 0o700, 240*time.Hour, Delete), + d("refs", perm.PrivateDir, 240*time.Hour, Keep, + d("first", perm.PrivateDir, 240*time.Hour, Delete, + d("second", perm.PrivateDir, 240*time.Hour, Delete), ), ), }, @@ -477,10 +477,10 @@ func TestRepositoryManager_CleanStaleData_emptyRefDirs(t *testing.T) { { name: "hierarchy with intermediate non-stale ref dir gets kept", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep, - d("first", 0o700, 240*time.Hour, Keep, - d("second", 0o700, 1*time.Hour, Keep, - d("third", 0o700, 24*time.Hour, Delete), + d("refs", perm.PrivateDir, 240*time.Hour, Keep, + d("first", perm.PrivateDir, 240*time.Hour, Keep, + d("second", perm.PrivateDir, 1*time.Hour, Keep, + d("third", perm.PrivateDir, 24*time.Hour, Delete), ), ), ), @@ -492,13 +492,13 @@ func TestRepositoryManager_CleanStaleData_emptyRefDirs(t *testing.T) { { name: "stale hierrachy with refs gets partially retained", entries: []entry{ - d("refs", 0o700, 240*time.Hour, Keep, - d("first", 0o700, 240*time.Hour, Keep, - d("second", 0o700, 240*time.Hour, Delete, - d("third", 0o700, 24*time.Hour, Delete), + d("refs", perm.PrivateDir, 240*time.Hour, Keep, + d("first", perm.PrivateDir, 240*time.Hour, Keep, + d("second", perm.PrivateDir, 240*time.Hour, Delete, + d("third", perm.PrivateDir, 24*time.Hour, Delete), ), - d("other", 0o700, 240*time.Hour, Keep, - f("ref", 0o700, 1*time.Hour, Keep), + d("other", perm.PrivateDir, 240*time.Hour, Keep, + f("ref", perm.PrivateFile, 1*time.Hour, Keep), ), ), ), @@ -550,7 +550,7 @@ func TestRepositoryManager_CleanStaleData_withSpecificFile(t *testing.T) { var topLevelDir, currentDir *dirEntry for _, subdir := range subdirs { - dir := d(subdir, 0o700, 1*time.Hour, Keep) + dir := d(subdir, perm.PrivateDir, 1*time.Hour, Keep) if topLevelDir == nil { topLevelDir = dir } @@ -662,32 +662,32 @@ func TestRepositoryManager_CleanStaleData_withSpecificFile(t *testing.T) { }{ { desc: fmt.Sprintf("fresh %s is kept", tc.file), - entry: f(tc.file, 0o700, 10*time.Minute, Keep), + entry: f(tc.file, perm.PrivateFile, 10*time.Minute, Keep), }, { desc: fmt.Sprintf("stale %s in subdir is kept", tc.file), - entry: d("subdir", 0o700, 240*time.Hour, Keep, - f(tc.file, 0o700, 24*time.Hour, Keep), + entry: d("subdir", perm.PrivateDir, 240*time.Hour, Keep, + f(tc.file, perm.PrivateFile, 24*time.Hour, Keep), ), }, { desc: fmt.Sprintf("stale %s is deleted", tc.file), - entry: f(tc.file, 0o700, 61*time.Minute, Delete), + entry: f(tc.file, perm.PrivateFile, 61*time.Minute, Delete), expectedFiles: []string{ filepath.Join(append([]string{repoPath}, append(tc.subdirs, tc.file)...)...), }, }, { desc: fmt.Sprintf("%q is kept", tc.file[:len(tc.file)-1]), - entry: f(tc.file[:len(tc.file)-1], 0o700, 61*time.Minute, Keep), + entry: f(tc.file[:len(tc.file)-1], perm.PrivateFile, 61*time.Minute, Keep), }, { desc: fmt.Sprintf("%q is kept", "~"+tc.file), - entry: f("~"+tc.file, 0o700, 61*time.Minute, Keep), + entry: f("~"+tc.file, perm.PrivateFile, 61*time.Minute, Keep), }, { desc: fmt.Sprintf("%q is kept", tc.file+"~"), - entry: f(tc.file+"~", 0o700, 61*time.Minute, Keep), + entry: f(tc.file+"~", perm.PrivateFile, 61*time.Minute, Keep), }, } { t.Run(subcase.desc, func(t *testing.T) { @@ -721,18 +721,18 @@ func TestRepositoryManager_CleanStaleData_serverInfo(t *testing.T) { repo := localrepo.NewTestRepo(t, cfg, repoProto) entries := []entry{ - d("info", 0o755, 0, Keep, - f("ref", 0, 0o644, Keep), - f("refs", 0, 0o644, Delete), - f("refsx", 0, 0o644, Keep), - f("refs_123456", 0, 0o644, Delete), + d("info", perm.SharedDir, 0, Keep, + f("ref", perm.SharedFile, 0, Keep), + f("refs", perm.SharedFile, 0, Delete), + f("refsx", perm.SharedFile, 0, Keep), + f("refs_123456", perm.SharedFile, 0, Delete), ), - d("objects", 0o755, 0, Keep, - d("info", 0o755, 0, Keep, - f("pack", 0, 0o644, Keep), - f("packs", 0, 0o644, Delete), - f("packsx", 0, 0o644, Keep), - f("packs_123456", 0, 0o644, Delete), + d("objects", perm.SharedDir, 0, Keep, + d("info", perm.SharedDir, 0, Keep, + f("pack", perm.SharedFile, 0, Keep), + f("packs", perm.SharedFile, 0, Delete), + f("packsx", perm.SharedFile, 0, Keep), + f("packs_123456", perm.SharedFile, 0, Delete), ), ), } @@ -776,18 +776,18 @@ func TestRepositoryManager_CleanStaleData_referenceLocks(t *testing.T) { { desc: "fresh lock is kept", entries: []entry{ - d("refs", 0o755, 0*time.Hour, Keep, - f("main", 0o755, 10*time.Minute, Keep), - f("main.lock", 0o755, 10*time.Minute, Keep), + d("refs", perm.SharedDir, 0*time.Hour, Keep, + f("main", perm.SharedExecutable, 10*time.Minute, Keep), + f("main.lock", perm.SharedExecutable, 10*time.Minute, Keep), ), }, }, { desc: "stale lock is deleted", entries: []entry{ - d("refs", 0o755, 0*time.Hour, Keep, - f("main", 0o755, 1*time.Hour, Keep), - f("main.lock", 0o755, 1*time.Hour, Delete), + d("refs", perm.SharedDir, 0*time.Hour, Keep, + f("main", perm.SharedExecutable, 1*time.Hour, Keep), + f("main.lock", perm.SharedExecutable, 1*time.Hour, Delete), ), }, expectedReferenceLocks: []string{ @@ -800,18 +800,18 @@ func TestRepositoryManager_CleanStaleData_referenceLocks(t *testing.T) { { desc: "nested reference locks are deleted", entries: []entry{ - d("refs", 0o755, 0*time.Hour, Keep, - d("tags", 0o755, 0*time.Hour, Keep, - f("main", 0o755, 1*time.Hour, Keep), - f("main.lock", 0o755, 1*time.Hour, Delete), + d("refs", perm.SharedDir, 0*time.Hour, Keep, + d("tags", perm.SharedDir, 0*time.Hour, Keep, + f("main", perm.SharedExecutable, 1*time.Hour, Keep), + f("main.lock", perm.SharedExecutable, 1*time.Hour, Delete), ), - d("heads", 0o755, 0*time.Hour, Keep, - f("main", 0o755, 1*time.Hour, Keep), - f("main.lock", 0o755, 1*time.Hour, Delete), + d("heads", perm.SharedDir, 0*time.Hour, Keep, + f("main", perm.SharedExecutable, 1*time.Hour, Keep), + f("main.lock", perm.SharedExecutable, 1*time.Hour, Delete), ), - d("foobar", 0o755, 0*time.Hour, Keep, - f("main", 0o755, 1*time.Hour, Keep), - f("main.lock", 0o755, 1*time.Hour, Delete), + d("foobar", perm.SharedDir, 0*time.Hour, Keep, + f("main", perm.SharedExecutable, 1*time.Hour, Keep), + f("main.lock", perm.SharedExecutable, 1*time.Hour, Delete), ), ), }, @@ -1001,7 +1001,7 @@ func TestRepositoryManager_CleanStaleData_unsetConfiguration(t *testing.T) { else = untouched [totally] unrelated = untouched -`), 0o644)) +`), perm.SharedFile)) mgr := NewManager(cfg.Prometheus, nil) @@ -1092,7 +1092,7 @@ func TestRepositoryManager_CleanStaleData_pruneEmptyConfigSections(t *testing.T) [remote "tmp-03b5e8c765135b343214d471843a062a"] [remote "tmp-f57338181aca1d599669dbb71ce9ce57"] [remote "tmp-8c948ca94832c2725733e48cb2902287"] -`), 0o644)) +`), perm.SharedFile)) mgr := NewManager(cfg.Prometheus, nil) @@ -1240,7 +1240,7 @@ func TestPruneEmptyConfigSections(t *testing.T) { }, } { t.Run(tc.desc, func(t *testing.T) { - require.NoError(t, os.WriteFile(configPath, []byte(tc.configData), 0o644)) + require.NoError(t, os.WriteFile(configPath, []byte(tc.configData), perm.SharedFile)) skippedSections, err := pruneEmptyConfigSections(ctx, repo) require.NoError(t, err) diff --git a/internal/git/housekeeping/optimize_repository_test.go b/internal/git/housekeeping/optimize_repository_test.go index 831d22f85..318995475 100644 --- a/internal/git/housekeeping/optimize_repository_test.go +++ b/internal/git/housekeeping/optimize_repository_test.go @@ -423,7 +423,7 @@ func testOptimizeRepository(t *testing.T, ctx context.Context) { for i := 0; i < looseObjectLimit+1; i++ { blobPath := filepath.Join(repoPath, "objects", "17", fmt.Sprintf("%d", i)) - require.NoError(t, os.WriteFile(blobPath, nil, 0o644)) + require.NoError(t, os.WriteFile(blobPath, nil, perm.SharedFile)) require.NoError(t, os.Chtimes(blobPath, almostTwoWeeksAgo, almostTwoWeeksAgo)) } @@ -463,7 +463,7 @@ func testOptimizeRepository(t *testing.T, ctx context.Context) { for i := 0; i < looseObjectLimit+1; i++ { blobPath := filepath.Join(repoPath, "objects", "17", fmt.Sprintf("%d", i)) - require.NoError(t, os.WriteFile(blobPath, nil, 0o644)) + require.NoError(t, os.WriteFile(blobPath, nil, perm.SharedFile)) require.NoError(t, os.Chtimes(blobPath, moreThanTwoWeeksAgo, moreThanTwoWeeksAgo)) } diff --git a/internal/git/localrepo/objects_test.go b/internal/git/localrepo/objects_test.go index 2edca3cd0..3727a574e 100644 --- a/internal/git/localrepo/objects_test.go +++ b/internal/git/localrepo/objects_test.go @@ -81,7 +81,7 @@ func testRepoWriteBlob(t *testing.T, ctx context.Context) { t.Run(tc.desc, func(t *testing.T) { attributesPath := filepath.Join(repoPath, "info", "attributes") require.NoError(t, os.MkdirAll(filepath.Dir(attributesPath), perm.SharedDir)) - require.NoError(t, os.WriteFile(attributesPath, []byte(tc.attributes), os.ModePerm)) + require.NoError(t, os.WriteFile(attributesPath, []byte(tc.attributes), perm.PublicFile)) sha, err := repo.WriteBlob(ctx, "file-path", tc.input) require.Equal(t, tc.error, err) diff --git a/internal/git/localrepo/refs_test.go b/internal/git/localrepo/refs_test.go index a98009fdf..71866b02e 100644 --- a/internal/git/localrepo/refs_test.go +++ b/internal/git/localrepo/refs_test.go @@ -19,6 +19,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/transaction" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" @@ -582,7 +583,7 @@ func TestRepo_SetDefaultBranch_errors(t *testing.T) { path, err := repo.Path() require.NoError(t, err) - require.NoError(t, os.WriteFile(filepath.Join(path, "HEAD.lock"), []byte(""), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(path, "HEAD.lock"), []byte(""), perm.SharedFile)) err = repo.SetDefaultBranch(ctx, &transaction.MockManager{}, "refs/heads/branch") require.ErrorIs(t, err, safe.ErrFileAlreadyLocked) diff --git a/internal/git/localrepo/repo_test.go b/internal/git/localrepo/repo_test.go index 25d7f9986..4c69cb599 100644 --- a/internal/git/localrepo/repo_test.go +++ b/internal/git/localrepo/repo_test.go @@ -13,6 +13,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/catfile" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" @@ -235,7 +236,7 @@ func TestSize(t *testing.T) { require.NoError(t, os.WriteFile( filepath.Join(repoPath, "objects", "info", "alternates"), []byte(filepath.Join(poolPath, "objects")), - os.ModePerm, + perm.PublicFile, )) for _, path := range []string{repoPath, poolPath} { @@ -269,7 +270,7 @@ func TestSize(t *testing.T) { require.NoError(t, os.WriteFile( filepath.Join(repoPath, "objects", "info", "alternates"), []byte(filepath.Join(poolPath, "objects")), - os.ModePerm, + perm.PublicFile, )) // We write the same object into both repositories, so we should @@ -304,7 +305,7 @@ func TestSize(t *testing.T) { require.NoError(t, os.WriteFile( filepath.Join(repoPath, "objects", "info", "alternates"), []byte(filepath.Join(poolPath, "objects")), - os.ModePerm, + perm.PublicFile, )) for i, path := range []string{repoPath, poolPath} { diff --git a/internal/git/objectpool/link_test.go b/internal/git/objectpool/link_test.go index 2c691164c..eb8074dc7 100644 --- a/internal/git/objectpool/link_test.go +++ b/internal/git/objectpool/link_test.go @@ -12,6 +12,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" "gitlab.com/gitlab-org/gitaly/v15/internal/git/stats" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/transaction" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/transaction/txinfo" "google.golang.org/grpc/peer" @@ -117,7 +118,7 @@ func TestLink_absoluteLinkExists(t *testing.T) { altPath, err := repo.InfoAlternatesPath() require.NoError(t, err) - require.NoError(t, os.WriteFile(altPath, []byte(poolObjectsPath), 0o644)) + require.NoError(t, os.WriteFile(altPath, []byte(poolObjectsPath), perm.SharedFile)) require.NoError(t, pool.Link(ctx, repo), "we expect this call to change the absolute link to a relative link") diff --git a/internal/git/objectpool/pool_test.go b/internal/git/objectpool/pool_test.go index 13e5b4798..57c1d6071 100644 --- a/internal/git/objectpool/pool_test.go +++ b/internal/git/objectpool/pool_test.go @@ -110,7 +110,7 @@ func TestFromRepo_failures(t *testing.T) { require.NoError(t, os.MkdirAll(filepath.Join(repoPath, "objects", "info"), perm.SharedDir)) alternateFilePath := filepath.Join(repoPath, "objects", "info", "alternates") - require.NoError(t, os.WriteFile(alternateFilePath, tc.fileContent, 0o644)) + require.NoError(t, os.WriteFile(alternateFilePath, tc.fileContent, perm.SharedFile)) poolFromRepo, err := FromRepo(locator, pool.gitCmdFactory, nil, nil, nil, repo) require.Equal(t, tc.expectedErr, err) require.Nil(t, poolFromRepo) diff --git a/internal/git/quarantine/quarantine_test.go b/internal/git/quarantine/quarantine_test.go index 390bdf9e1..4d372fcc2 100644 --- a/internal/git/quarantine/quarantine_test.go +++ b/internal/git/quarantine/quarantine_test.go @@ -34,7 +34,7 @@ func (e entry) create(t *testing.T, root string) { child.create(t, filepath.Join(root, name)) } } else { - require.NoError(t, os.WriteFile(root, []byte(e.contents), 0o666)) + require.NoError(t, os.WriteFile(root, []byte(e.contents), perm.PublicFile)) } } @@ -122,7 +122,7 @@ func TestQuarantine_Migrate(t *testing.T) { quarantine, err := New(ctx, repo, locator) require.NoError(t, err) - require.NoError(t, os.WriteFile(filepath.Join(quarantine.dir.Path(), "file"), []byte("foobar"), 0o666)) + require.NoError(t, os.WriteFile(filepath.Join(quarantine.dir.Path(), "file"), []byte("foobar"), perm.PublicFile)) require.NoError(t, quarantine.Migrate()) newContents := listEntries(t, repoPath) @@ -337,7 +337,7 @@ func TestFinalizeObjectFile(t *testing.T) { source := filepath.Join(dir, "a") target := filepath.Join(dir, "b") - require.NoError(t, os.WriteFile(source, []byte("a"), 0o777)) + require.NoError(t, os.WriteFile(source, []byte("a"), perm.PublicExecutable)) require.NoError(t, finalizeObjectFile(source, target)) require.NoFileExists(t, source) @@ -350,7 +350,7 @@ func TestFinalizeObjectFile(t *testing.T) { source := filepath.Join(sourceDir, "a") target := filepath.Join(targetDir, "a") - require.NoError(t, os.WriteFile(source, []byte("a"), 0o777)) + require.NoError(t, os.WriteFile(source, []byte("a"), perm.PublicExecutable)) require.NoError(t, finalizeObjectFile(source, target)) require.NoFileExists(t, source) @@ -361,10 +361,10 @@ func TestFinalizeObjectFile(t *testing.T) { dir := testhelper.TempDir(t) source := filepath.Join(dir, "a") - require.NoError(t, os.WriteFile(source, []byte("a"), 0o777)) + require.NoError(t, os.WriteFile(source, []byte("a"), perm.PublicExecutable)) target := filepath.Join(dir, "b") - require.NoError(t, os.WriteFile(target, []byte("b"), 0o777)) + require.NoError(t, os.WriteFile(target, []byte("b"), perm.PublicExecutable)) // We do not expect an error in case the target file exists: given that objects and // packs are content addressable, a file with the same name should have the same diff --git a/internal/git/remoterepo/repository_test.go b/internal/git/remoterepo/repository_test.go index b5dfa4616..f2e4865f9 100644 --- a/internal/git/remoterepo/repository_test.go +++ b/internal/git/remoterepo/repository_test.go @@ -14,6 +14,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/git/remoterepo" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/storage" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" @@ -113,7 +114,7 @@ func TestRepository_ObjectHash(t *testing.T) { "[extensions]", "objectFormat = blake2b", }, "\n"), - ), 0o644)) + ), perm.SharedFile)) repo, err := remoterepo.New(ctx, repoProto, pool) require.NoError(t, err) diff --git a/internal/git/ssh.go b/internal/git/ssh.go index be411576f..93f312597 100644 --- a/internal/git/ssh.go +++ b/internal/git/ssh.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) // BuildSSHInvocation builds a command line to invoke SSH with the provided key and known hosts. @@ -32,7 +33,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string, args := []string{sshCommand} if sshKey != "" { sshKeyFile := filepath.Join(tmpDir, "ssh-key") - if err := os.WriteFile(sshKeyFile, []byte(sshKey), 0o400); err != nil { + if err := os.WriteFile(sshKeyFile, []byte(sshKey), perm.PrivateWriteOnceFile); err != nil { cleanup() return "", nil, fmt.Errorf("create ssh key file: %w", err) } @@ -42,7 +43,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string, if knownHosts != "" { knownHostsFile := filepath.Join(tmpDir, "known-hosts") - if err := os.WriteFile(knownHostsFile, []byte(knownHosts), 0o400); err != nil { + if err := os.WriteFile(knownHostsFile, []byte(knownHosts), perm.PrivateWriteOnceFile); err != nil { cleanup() return "", nil, fmt.Errorf("create known hosts file: %w", err) } diff --git a/internal/git/stats/repository_info_test.go b/internal/git/stats/repository_info_test.go index 3e11904f5..faafc1be2 100644 --- a/internal/git/stats/repository_info_test.go +++ b/internal/git/stats/repository_info_test.go @@ -257,7 +257,7 @@ func TestRepositoryInfoForRepository(t *testing.T) { desc: "garbage", setup: func(t *testing.T, repoPath string) { garbagePath := filepath.Join(repoPath, "objects", "pack", "garbage") - require.NoError(t, os.WriteFile(garbagePath, []byte("x"), 0o600)) + require.NoError(t, os.WriteFile(garbagePath, []byte("x"), perm.PrivateFile)) }, expectedInfo: RepositoryInfo{ Packfiles: PackfilesInfo{ @@ -270,7 +270,7 @@ func TestRepositoryInfoForRepository(t *testing.T) { desc: "alternates", setup: func(t *testing.T, repoPath string) { infoAlternatesPath := filepath.Join(repoPath, "objects", "info", "alternates") - require.NoError(t, os.WriteFile(infoAlternatesPath, []byte(alternatePath), 0o600)) + require.NoError(t, os.WriteFile(infoAlternatesPath, []byte(alternatePath), perm.PrivateFile)) }, expectedInfo: RepositoryInfo{ Alternates: []string{ @@ -355,7 +355,7 @@ func TestRepositoryInfoForRepository(t *testing.T) { desc: "all together", setup: func(t *testing.T, repoPath string) { infoAlternatesPath := filepath.Join(repoPath, "objects", "info", "alternates") - require.NoError(t, os.WriteFile(infoAlternatesPath, []byte(alternatePath), 0o600)) + require.NoError(t, os.WriteFile(infoAlternatesPath, []byte(alternatePath), perm.PrivateFile)) // We write a single packed blob. blobID := gittest.WriteBlob(t, cfg, repoPath, []byte("x")) @@ -370,7 +370,7 @@ func TestRepositoryInfoForRepository(t *testing.T) { // everywhere. for _, file := range []string{"garbage1", "garbage2", "garbage3"} { garbagePath := filepath.Join(repoPath, "objects", "pack", file) - require.NoError(t, os.WriteFile(garbagePath, []byte("x"), 0o600)) + require.NoError(t, os.WriteFile(garbagePath, []byte("x"), perm.PrivateFile)) } }, expectedInfo: RepositoryInfo{ @@ -444,7 +444,7 @@ func TestReferencesInfoForRepository(t *testing.T) { // We just write some random garbage -- we don't verify contents // anyway, but just the size. And testing like that is at least // deterministic as we don't have to special-case hash sizes. - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "packed-refs"), []byte("content"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "packed-refs"), []byte("content"), perm.SharedFile)) }, expectedInfo: ReferencesInfo{ PackedReferencesSize: 7, @@ -464,7 +464,7 @@ func TestReferencesInfoForRepository(t *testing.T) { // We just write some random garbage -- we don't verify contents // anyway, but just the size. And testing like that is at least // deterministic as we don't have to special-case hash sizes. - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "packed-refs"), []byte("content"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "packed-refs"), []byte("content"), perm.SharedFile)) }, expectedInfo: ReferencesInfo{ LooseReferencesCount: 3, @@ -515,7 +515,7 @@ func TestCountLooseObjects(t *testing.T) { differentShard := filepath.Join(repoPath, "objects", "a0") require.NoError(t, os.MkdirAll(differentShard, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(differentShard, "123456"), []byte("foobar"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(differentShard, "123456"), []byte("foobar"), perm.SharedFile)) requireLooseObjectsInfo(t, repo, time.Now(), LooseObjectsInfo{ Count: 1, @@ -531,7 +531,7 @@ func TestCountLooseObjects(t *testing.T) { for i, shard := range []string{"00", "17", "32", "ff"} { shardPath := filepath.Join(repoPath, "objects", shard) require.NoError(t, os.MkdirAll(shardPath, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(shardPath, "123456"), make([]byte, i), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(shardPath, "123456"), make([]byte, i), perm.SharedFile)) } requireLooseObjectsInfo(t, repo, time.Now(), LooseObjectsInfo{ @@ -558,7 +558,7 @@ func TestCountLooseObjects(t *testing.T) { beforeCutoffDate := cutoffDate.Add(-1 * time.Minute) for _, objectPath := range objectPaths { - require.NoError(t, os.WriteFile(objectPath, []byte("1"), 0o644)) + require.NoError(t, os.WriteFile(objectPath, []byte("1"), perm.SharedFile)) require.NoError(t, os.Chtimes(objectPath, afterCutoffDate, afterCutoffDate)) } @@ -587,8 +587,8 @@ func TestCountLooseObjects(t *testing.T) { shard := filepath.Join(repoPath, "objects", "17") require.NoError(t, os.MkdirAll(shard, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(shard, "012345"), []byte("valid"), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(shard, "garbage"), []byte("garbage"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(shard, "012345"), []byte("valid"), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(shard, "garbage"), []byte("garbage"), perm.SharedFile)) requireLooseObjectsInfo(t, repo, time.Now(), LooseObjectsInfo{ Count: 1, @@ -627,7 +627,7 @@ func BenchmarkCountLooseObjects(b *testing.B) { objectPath := filepath.Join(repoPath, "objects", "17", "12345") require.NoError(b, os.Mkdir(filepath.Dir(objectPath), perm.SharedDir)) - require.NoError(b, os.WriteFile(objectPath, nil, 0o644)) + require.NoError(b, os.WriteFile(objectPath, nil, perm.SharedFile)) b.ResetTimer() for i := 0; i < b.N; i++ { @@ -642,7 +642,7 @@ func BenchmarkCountLooseObjects(b *testing.B) { for i := 0; i < 256; i++ { objectPath := filepath.Join(repoPath, "objects", fmt.Sprintf("%02x", i), "12345") require.NoError(b, os.Mkdir(filepath.Dir(objectPath), perm.SharedDir)) - require.NoError(b, os.WriteFile(objectPath, nil, 0o644)) + require.NoError(b, os.WriteFile(objectPath, nil, perm.SharedFile)) } b.ResetTimer() @@ -671,7 +671,7 @@ func BenchmarkCountLooseObjects(b *testing.B) { for j := 0; j < looseObjectCount; j++ { objectPath := filepath.Join(shardPath, fmt.Sprintf("%d", j)) - require.NoError(b, os.WriteFile(objectPath, nil, 0o644)) + require.NoError(b, os.WriteFile(objectPath, nil, perm.SharedFile)) } } @@ -691,7 +691,7 @@ func BenchmarkCountLooseObjects(b *testing.B) { for j := 0; j < 1000; j++ { objectPath := filepath.Join(shardPath, fmt.Sprintf("%d", j)) - require.NoError(b, os.WriteFile(objectPath, nil, 0o644)) + require.NoError(b, os.WriteFile(objectPath, nil, perm.SharedFile)) } } @@ -725,7 +725,7 @@ func TestPackfileInfoForRepository(t *testing.T) { seedRepository: func(t *testing.T, repoPath string) { packfileDir := filepath.Join(repoPath, "objects", "pack") require.NoError(t, os.MkdirAll(packfileDir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), perm.SharedFile)) }, expectedInfo: PackfilesInfo{ Count: 1, @@ -737,8 +737,8 @@ func TestPackfileInfoForRepository(t *testing.T) { seedRepository: func(t *testing.T, repoPath string) { packfileDir := filepath.Join(repoPath, "objects", "pack") require.NoError(t, os.MkdirAll(packfileDir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.keep"), []byte("foobar"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.keep"), []byte("foobar"), perm.SharedFile)) }, expectedInfo: PackfilesInfo{ KeepCount: 1, @@ -750,8 +750,8 @@ func TestPackfileInfoForRepository(t *testing.T) { seedRepository: func(t *testing.T, repoPath string) { packfileDir := filepath.Join(repoPath, "objects", "pack") require.NoError(t, os.MkdirAll(packfileDir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.mtimes"), []byte("foobar"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.mtimes"), []byte("foobar"), perm.SharedFile)) }, expectedInfo: PackfilesInfo{ CruftCount: 1, @@ -763,8 +763,8 @@ func TestPackfileInfoForRepository(t *testing.T) { seedRepository: func(t *testing.T, repoPath string) { packfileDir := filepath.Join(repoPath, "objects", "pack") require.NoError(t, os.MkdirAll(packfileDir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), 0o644)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-bar.pack"), []byte("123"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-foo.pack"), []byte("foobar"), perm.SharedFile)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "pack-bar.pack"), []byte("123"), perm.SharedFile)) }, expectedInfo: PackfilesInfo{ Count: 2, @@ -793,7 +793,7 @@ func TestPackfileInfoForRepository(t *testing.T) { seedRepository: func(t *testing.T, repoPath string) { packfileDir := filepath.Join(repoPath, "objects", "pack") require.NoError(t, os.MkdirAll(packfileDir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "multi-pack-index"), nil, 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(packfileDir, "multi-pack-index"), nil, perm.SharedFile)) }, expectedInfo: PackfilesInfo{ HasMultiPackIndex: true, @@ -824,7 +824,7 @@ func TestPackfileInfoForRepository(t *testing.T) { gittest.WriteCommit(t, cfg, repoPath, gittest.WithMessage("second"), gittest.WithBranch("second")) gittest.Exec(t, cfg, "-C", repoPath, "repack", "-db", "--write-midx") - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects", "pack", "garbage"), []byte("1"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects", "pack", "garbage"), []byte("1"), perm.SharedFile)) }, expectedInfo: PackfilesInfo{ Count: 2, @@ -1139,7 +1139,7 @@ func TestBitmapInfoForPath(t *testing.T) { desc: "header is too short", setup: func(t *testing.T) string { bitmapPath := filepath.Join(testhelper.TempDir(t), "bitmap") - require.NoError(t, os.WriteFile(bitmapPath, []byte{0, 0, 0}, 0o644)) + require.NoError(t, os.WriteFile(bitmapPath, []byte{0, 0, 0}, perm.SharedFile)) return bitmapPath }, expectedErr: fmt.Errorf("reading bitmap header: %w", io.ErrUnexpectedEOF), @@ -1150,7 +1150,7 @@ func TestBitmapInfoForPath(t *testing.T) { bitmapPath := filepath.Join(testhelper.TempDir(t), "bitmap") require.NoError(t, os.WriteFile(bitmapPath, []byte{ 'B', 'I', 'T', 'O', 0, 0, 0, 0, - }, 0o644)) + }, perm.SharedFile)) return bitmapPath }, expectedErr: fmt.Errorf("invalid bitmap signature: %q", "BITO"), @@ -1161,7 +1161,7 @@ func TestBitmapInfoForPath(t *testing.T) { bitmapPath := filepath.Join(testhelper.TempDir(t), "bitmap") require.NoError(t, os.WriteFile(bitmapPath, []byte{ 'B', 'I', 'T', 'M', 0, 2, 0, 0, - }, 0o644)) + }, perm.SharedFile)) return bitmapPath }, expectedErr: fmt.Errorf("unsupported version: 2"), diff --git a/internal/gitaly/config/config_test.go b/internal/gitaly/config/config_test.go index 3f3a3e05b..c6bb4d32a 100644 --- a/internal/gitaly/config/config_test.go +++ b/internal/gitaly/config/config_test.go @@ -185,7 +185,7 @@ func TestValidateStorages(t *testing.T) { require.NoError(t, os.MkdirAll(nestedRepositories, perm.PublicDir)) filePath := filepath.Join(testhelper.TempDir(t), "temporary-file") - require.NoError(t, os.WriteFile(filePath, []byte{}, 0o666)) + require.NoError(t, os.WriteFile(filePath, []byte{}, perm.PublicFile)) invalidDir := filepath.Join(repositories, t.Name()) @@ -427,7 +427,7 @@ func TestValidateShellPath(t *testing.T) { require.NoError(t, os.MkdirAll(filepath.Join(tmpDir, "bin"), perm.SharedDir)) tmpFile := filepath.Join(tmpDir, "my-file") - require.NoError(t, os.WriteFile(tmpFile, []byte{}, 0o666)) + require.NoError(t, os.WriteFile(tmpFile, []byte{}, perm.PublicFile)) testCases := []struct { desc string @@ -473,7 +473,7 @@ func TestConfigureRuby(t *testing.T) { tmpDir := testhelper.TempDir(t) tmpFile := filepath.Join(tmpDir, "file") - require.NoError(t, os.WriteFile(tmpFile, nil, 0o644)) + require.NoError(t, os.WriteFile(tmpFile, nil, perm.SharedFile)) testCases := []struct { desc string @@ -1264,7 +1264,7 @@ func TestSetupRuntimeDirectory(t *testing.T) { t.Run("validation", func(t *testing.T) { dirPath := testhelper.TempDir(t) filePath := filepath.Join(dirPath, "file") - require.NoError(t, os.WriteFile(filePath, nil, 0o644)) + require.NoError(t, os.WriteFile(filePath, nil, perm.SharedFile)) for _, tc := range []struct { desc string diff --git a/internal/gitaly/config/temp_dir_test.go b/internal/gitaly/config/temp_dir_test.go index 2e809363a..62b188776 100644 --- a/internal/gitaly/config/temp_dir_test.go +++ b/internal/gitaly/config/temp_dir_test.go @@ -62,7 +62,7 @@ func TestPruneOldGitalyProcessDirectories(t *testing.T) { // Create an unexpected file in the runtime directory unexpectedFilePath := filepath.Join(baseDir, "unexpected-file") - require.NoError(t, os.WriteFile(unexpectedFilePath, []byte(""), os.ModePerm)) + require.NoError(t, os.WriteFile(unexpectedFilePath, []byte(""), perm.PublicFile)) expectedLogs[unexpectedFilePath] = "ignoring file found in gitaly process directory" nonPrunableDirs := []string{ownRuntimeDir} diff --git a/internal/gitaly/hook/custom_test.go b/internal/gitaly/hook/custom_test.go index 6f109998b..52febe6bb 100644 --- a/internal/gitaly/hook/custom_test.go +++ b/internal/gitaly/hook/custom_test.go @@ -445,7 +445,7 @@ type customHookResults struct { func writeCustomHook(t *testing.T, hookName, dir string, content []byte) func() { require.NoError(t, os.MkdirAll(dir, perm.SharedDir)) - require.NoError(t, os.WriteFile(filepath.Join(dir, hookName), content, 0o755)) + require.NoError(t, os.WriteFile(filepath.Join(dir, hookName), content, perm.SharedExecutable)) return func() { require.NoError(t, os.RemoveAll(dir)) diff --git a/internal/gitaly/linguist/language_stats_test.go b/internal/gitaly/linguist/language_stats_test.go index 74f66a568..fa296e4bf 100644 --- a/internal/gitaly/linguist/language_stats_test.go +++ b/internal/gitaly/linguist/language_stats_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" ) @@ -49,7 +50,7 @@ func TestInitLanguageStats(t *testing.T) { { desc: "corrupt cache", run: func(t *testing.T, repo *localrepo.Repo, repoPath string) { - require.NoError(t, os.WriteFile(filepath.Join(repoPath, languageStatsFilename), []byte("garbage"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, languageStatsFilename), []byte("garbage"), perm.SharedFile)) stats, err := initLanguageStats(repo) require.Errorf(t, err, "new language stats zlib reader: invalid header") @@ -67,7 +68,7 @@ func TestInitLanguageStats(t *testing.T) { stats.Version = "faulty" // Copy save() behavior, but with a faulty version - file, err := os.OpenFile(filepath.Join(repoPath, languageStatsFilename), os.O_WRONLY|os.O_CREATE, 0o755) + file, err := os.OpenFile(filepath.Join(repoPath, languageStatsFilename), os.O_WRONLY|os.O_CREATE, perm.SharedExecutable) require.NoError(t, err) w := zlib.NewWriter(file) require.NoError(t, json.NewEncoder(w).Encode(stats)) diff --git a/internal/gitaly/linguist/linguist_test.go b/internal/gitaly/linguist/linguist_test.go index 1fd1bb633..6de1d52fe 100644 --- a/internal/gitaly/linguist/linguist_test.go +++ b/internal/gitaly/linguist/linguist_test.go @@ -460,7 +460,7 @@ func TestInstance_Stats(t *testing.T) { gittest.TreeEntry{Path: "application.rb", Mode: "100644", Content: strings.Repeat("a", 2943)}, )) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, languageStatsFilename), []byte("garbage"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, languageStatsFilename), []byte("garbage"), perm.SharedFile)) return repoProto, repoPath, commitID }, @@ -532,7 +532,7 @@ func TestInstance_Stats(t *testing.T) { require.NoError(t, os.MkdirAll(infoPath, perm.SharedDir)) attrData, err := gittest.NewCommand(t, cfg, "-C", repoPath, "cat-file", "blob", objectID.String()+":.gitattributes").Output() if err == nil { - require.NoError(t, os.WriteFile(filepath.Join(infoPath, "attributes"), attrData, 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(infoPath, "attributes"), attrData, perm.SharedFile)) } repo := localrepo.NewTestRepo(t, cfg, repoProto) diff --git a/internal/gitaly/maintenance/randomwalker_test.go b/internal/gitaly/maintenance/randomwalker_test.go index 0b6a8e7bf..22f406572 100644 --- a/internal/gitaly/maintenance/randomwalker_test.go +++ b/internal/gitaly/maintenance/randomwalker_test.go @@ -156,7 +156,7 @@ func TestRandomWalk(t *testing.T) { } for _, file := range tc.files { - require.NoError(t, os.WriteFile(filepath.Join(root, file), []byte{}, 0o777)) + require.NoError(t, os.WriteFile(filepath.Join(root, file), []byte{}, perm.PublicExecutable)) } walker := newRandomWalker(root, rand.New(rand.NewSource(1))) diff --git a/internal/gitaly/repoutil/create_test.go b/internal/gitaly/repoutil/create_test.go index 838970617..97e2fbb07 100644 --- a/internal/gitaly/repoutil/create_test.go +++ b/internal/gitaly/repoutil/create_test.go @@ -219,14 +219,14 @@ func TestCreate(t *testing.T) { // indeterministic data that's different across replicas and would // thus cause us to not reach quorum. require.NoError(t, os.Mkdir(filepath.Join(repoPath, "objects"), perm.PublicDir)) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects", "object"), []byte("object"), 0o666)) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "FETCH_HEAD"), []byte("fetch-head"), 0o666)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects", "object"), []byte("object"), perm.PublicFile)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "FETCH_HEAD"), []byte("fetch-head"), perm.PublicFile)) // All the other files should be hashed though. - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "HEAD"), []byte("head"), 0o666)) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "config"), []byte("cfg"), 0o666)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "HEAD"), []byte("head"), perm.PublicFile)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "config"), []byte("cfg"), perm.PublicFile)) require.NoError(t, os.MkdirAll(filepath.Join(repoPath, "refs", "heads"), perm.PublicDir)) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "refs", "heads", "foo"), []byte("foo"), 0o666)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "refs", "heads", "foo"), []byte("foo"), perm.PublicFile)) return nil }, diff --git a/internal/gitaly/rubyserver/rubyserver.go b/internal/gitaly/rubyserver/rubyserver.go index 34f3e80c6..d047f8707 100644 --- a/internal/gitaly/rubyserver/rubyserver.go +++ b/internal/gitaly/rubyserver/rubyserver.go @@ -162,7 +162,7 @@ func (s *Server) start() error { // Git configuration. Otherwise, Rugged wouldn't find it. if err := os.WriteFile(filepath.Join(gitconfigDir, "gitconfig"), []byte( "[core]\n\tfsyncObjectFiles = true\n", - ), 0o666); err != nil { + ), perm.PublicFile); err != nil { return fmt.Errorf("writing gitconfig: %w", err) } diff --git a/internal/gitaly/rubyserver/rubyserver_test.go b/internal/gitaly/rubyserver/rubyserver_test.go index a52e3f4fb..15e0c905d 100644 --- a/internal/gitaly/rubyserver/rubyserver_test.go +++ b/internal/gitaly/rubyserver/rubyserver_test.go @@ -16,6 +16,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config/log" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/storage" "gitlab.com/gitlab-org/gitaly/v15/internal/helper" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" "gitlab.com/gitlab-org/gitaly/v15/internal/version" @@ -171,7 +172,7 @@ func TestServer_gitconfig(t *testing.T) { setup: func(t *testing.T) (config.Cfg, string) { gitconfigDir := testhelper.TempDir(t) expectedPath := filepath.Join(gitconfigDir, "gitconfig") - require.NoError(t, os.WriteFile(expectedPath, []byte("garbage"), 0o666)) + require.NoError(t, os.WriteFile(expectedPath, []byte("garbage"), perm.PublicFile)) cfg := testcfg.Build(t, testcfg.WithBase(config.Cfg{ Ruby: config.Ruby{ diff --git a/internal/gitaly/service/conflicts/resolve_conflicts_test.go b/internal/gitaly/service/conflicts/resolve_conflicts_test.go index 5efe7f6b9..948880ab5 100644 --- a/internal/gitaly/service/conflicts/resolve_conflicts_test.go +++ b/internal/gitaly/service/conflicts/resolve_conflicts_test.go @@ -20,6 +20,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/hook" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" @@ -474,7 +475,7 @@ func TestResolveConflictsIdenticalContent(t *testing.T) { } { contents := gittest.Exec(t, cfg, "-C", repoPath, "cat-file", "-p", rev+":files/ruby/popen.rb") path := filepath.Join(tempDir, rev) - require.NoError(t, os.WriteFile(path, contents, 0o644)) + require.NoError(t, os.WriteFile(path, contents, perm.SharedFile)) conflictingPaths = append(conflictingPaths, path) } diff --git a/internal/gitaly/service/objectpool/alternates_test.go b/internal/gitaly/service/objectpool/alternates_test.go index 8b9a9205c..99687d6c5 100644 --- a/internal/gitaly/service/objectpool/alternates_test.go +++ b/internal/gitaly/service/objectpool/alternates_test.go @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata/featureflag" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" @@ -115,7 +116,7 @@ func testDisconnectGitAlternatesUnexpectedAlternates(t *testing.T, ctx context.C altPath, err := repo.InfoAlternatesPath() require.NoError(t, err) - require.NoError(t, os.WriteFile(altPath, []byte(tc.altContent), 0o644)) + require.NoError(t, os.WriteFile(altPath, []byte(tc.altContent), perm.SharedFile)) _, err = client.DisconnectGitAlternates(ctx, &gitalypb.DisconnectGitAlternatesRequest{Repository: repoProto}) require.Error(t, err) @@ -149,7 +150,7 @@ func testRemoveAlternatesIfOk(t *testing.T, ctx context.Context) { altPath, err := repo.InfoAlternatesPath() require.NoError(t, err) altContent := testhelper.TempDir(t) + "\n" - require.NoError(t, os.WriteFile(altPath, []byte(altContent), 0o644)) + require.NoError(t, os.WriteFile(altPath, []byte(altContent), perm.SharedFile)) // Intentionally break the repository so that the consistency check will cause an // error. @@ -177,7 +178,7 @@ func testRemoveAlternatesIfOk(t *testing.T, ctx context.Context) { altPath, err := repo.InfoAlternatesPath() require.NoError(t, err) altContent := testhelper.TempDir(t) + "\n" - require.NoError(t, os.WriteFile(altPath, []byte(altContent), 0o644)) + require.NoError(t, os.WriteFile(altPath, []byte(altContent), perm.SharedFile)) // In order to test the scenario where a commit is in a commit graph but not in the // object database, we will first write a new commit, write the commit graph, then diff --git a/internal/gitaly/service/objectpool/create_test.go b/internal/gitaly/service/objectpool/create_test.go index b4dba6096..edad5de8a 100644 --- a/internal/gitaly/service/objectpool/create_test.go +++ b/internal/gitaly/service/objectpool/create_test.go @@ -90,7 +90,7 @@ func TestCreate_unsuccessful(t *testing.T) { lockedRelativePath := gittest.NewObjectPoolName(t) lockedFullPath := filepath.Join(cfg.Storages[0].Path, lockedRelativePath+".lock") require.NoError(t, os.MkdirAll(filepath.Dir(lockedFullPath), perm.SharedDir)) - require.NoError(t, os.WriteFile(lockedFullPath, nil, 0o644)) + require.NoError(t, os.WriteFile(lockedFullPath, nil, perm.SharedFile)) // Create a preexisting object pool. preexistingPool := &gitalypb.ObjectPool{ diff --git a/internal/gitaly/service/objectpool/fetch_into_object_pool_test.go b/internal/gitaly/service/objectpool/fetch_into_object_pool_test.go index 1e73ef205..5c25adbeb 100644 --- a/internal/gitaly/service/objectpool/fetch_into_object_pool_test.go +++ b/internal/gitaly/service/objectpool/fetch_into_object_pool_test.go @@ -82,7 +82,7 @@ func testFetchIntoObjectPoolSuccess(t *testing.T, ctx context.Context) { // references though and thus be able to recover. brokenRef := filepath.Join(poolPath, "refs", "heads", "broken") require.NoError(t, os.MkdirAll(filepath.Dir(brokenRef), perm.SharedDir)) - require.NoError(t, os.WriteFile(brokenRef, []byte{}, 0o777)) + require.NoError(t, os.WriteFile(brokenRef, []byte{}, perm.PublicExecutable)) oldTime := time.Now().Add(-25 * time.Hour) require.NoError(t, os.Chtimes(brokenRef, oldTime, oldTime)) diff --git a/internal/gitaly/service/objectpool/get_test.go b/internal/gitaly/service/objectpool/get_test.go index c9789a607..aef3df684 100644 --- a/internal/gitaly/service/objectpool/get_test.go +++ b/internal/gitaly/service/objectpool/get_test.go @@ -57,7 +57,7 @@ func TestGetObjectPoolBadFile(t *testing.T) { alternatesFilePath := filepath.Join(repoPath, "objects", "info", "alternates") require.NoError(t, os.MkdirAll(filepath.Dir(alternatesFilePath), perm.SharedDir)) - require.NoError(t, os.WriteFile(alternatesFilePath, []byte("not-a-directory"), 0o644)) + require.NoError(t, os.WriteFile(alternatesFilePath, []byte("not-a-directory"), perm.SharedFile)) resp, err := client.GetObjectPool(ctx, &gitalypb.GetObjectPoolRequest{ Repository: repo, diff --git a/internal/gitaly/service/objectpool/link_test.go b/internal/gitaly/service/objectpool/link_test.go index b1f453450..aeb75de38 100644 --- a/internal/gitaly/service/objectpool/link_test.go +++ b/internal/gitaly/service/objectpool/link_test.go @@ -11,6 +11,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/git/localrepo" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testserver" @@ -106,7 +107,7 @@ func TestLink_noClobber(t *testing.T) { require.NoFileExists(t, alternatesFile) contentBefore := "mock/objects\n" - require.NoError(t, os.WriteFile(alternatesFile, []byte(contentBefore), 0o644)) + require.NoError(t, os.WriteFile(alternatesFile, []byte(contentBefore), perm.SharedFile)) request := &gitalypb.LinkRepositoryToObjectPoolRequest{ Repository: repoProto, diff --git a/internal/gitaly/service/repository/apply_gitattributes.go b/internal/gitaly/service/repository/apply_gitattributes.go index 6b10b13aa..79a12259a 100644 --- a/internal/gitaly/service/repository/apply_gitattributes.go +++ b/internal/gitaly/service/repository/apply_gitattributes.go @@ -22,7 +22,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" ) -const attributesFileMode os.FileMode = 0o644 +const attributesFileMode os.FileMode = perm.SharedFile func (s *server) applyGitattributes(ctx context.Context, repo *localrepo.Repo, objectReader catfile.ObjectContentReader, repoPath string, revision []byte) (returnedErr error) { infoPath := filepath.Join(repoPath, "info") diff --git a/internal/gitaly/service/repository/apply_gitattributes_test.go b/internal/gitaly/service/repository/apply_gitattributes_test.go index 0eeb7ecb5..227d8e36e 100644 --- a/internal/gitaly/service/repository/apply_gitattributes_test.go +++ b/internal/gitaly/service/repository/apply_gitattributes_test.go @@ -69,7 +69,7 @@ func TestApplyGitattributes_successful(t *testing.T) { t.Run("with preexisting 'info/attributes'", func(t *testing.T) { require.NoError(t, os.RemoveAll(infoPath)) require.NoError(t, os.Mkdir(infoPath, perm.SharedDir)) - require.NoError(t, os.WriteFile(attributesPath, []byte("*.docx diff=word"), 0o644)) + require.NoError(t, os.WriteFile(attributesPath, []byte("*.docx diff=word"), perm.SharedFile)) requireApplyGitattributes(t, ctx, client, repo, attributesPath, tc.revision, tc.expectedContent) }) }) diff --git a/internal/gitaly/service/repository/archive_test.go b/internal/gitaly/service/repository/archive_test.go index fa1c1a1aa..e48111ac0 100644 --- a/internal/gitaly/service/repository/archive_test.go +++ b/internal/gitaly/service/repository/archive_test.go @@ -18,6 +18,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/smudge" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitlab" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" @@ -551,7 +552,7 @@ func TestGetArchive_environment(t *testing.T) { func compressedFileContents(t *testing.T, format gitalypb.GetArchiveRequest_Format, contents []byte) string { path := filepath.Join(testhelper.TempDir(t), "archive") - require.NoError(t, os.WriteFile(path, contents, 0o644)) + require.NoError(t, os.WriteFile(path, contents, perm.SharedFile)) switch format { case gitalypb.GetArchiveRequest_TAR: diff --git a/internal/gitaly/service/repository/backup_custom_hooks_test.go b/internal/gitaly/service/repository/backup_custom_hooks_test.go index 9c897bcd2..62d42ddbc 100644 --- a/internal/gitaly/service/repository/backup_custom_hooks_test.go +++ b/internal/gitaly/service/repository/backup_custom_hooks_test.go @@ -36,7 +36,7 @@ func TestBackupCustomHooks_successful(t *testing.T) { } require.NoError(t, os.Mkdir(filepath.Join(repoPath, "custom_hooks"), perm.PrivateDir), "Could not create custom_hooks dir") for _, fileName := range expectedTarResponse[1:] { - require.NoError(t, os.WriteFile(filepath.Join(repoPath, fileName), []byte("Some hooks"), 0o700), fmt.Sprintf("Could not create %s", fileName)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, fileName), []byte("Some hooks"), perm.PrivateExecutable), fmt.Sprintf("Could not create %s", fileName)) } backupRequest := &gitalypb.BackupCustomHooksRequest{Repository: repo} diff --git a/internal/gitaly/service/repository/create_fork_test.go b/internal/gitaly/service/repository/create_fork_test.go index 9b40586b3..cb936e263 100644 --- a/internal/gitaly/service/repository/create_fork_test.go +++ b/internal/gitaly/service/repository/create_fork_test.go @@ -244,7 +244,7 @@ func TestCreateFork_targetExists(t *testing.T) { require.NoError(t, os.WriteFile( filepath.Join(targetPath, "config"), nil, - 0o644, + perm.SharedFile, )) }, expectedErrWithAtomicCreation: structerr.NewAlreadyExists("creating fork: repository exists already"), @@ -253,7 +253,7 @@ func TestCreateFork_targetExists(t *testing.T) { desc: "target file", seed: func(t *testing.T, targetPath string) { require.NoError(t, os.MkdirAll(filepath.Dir(targetPath), perm.GroupPrivateDir)) - require.NoError(t, os.WriteFile(targetPath, nil, 0o644)) + require.NoError(t, os.WriteFile(targetPath, nil, perm.SharedFile)) }, expectedErrWithAtomicCreation: structerr.NewAlreadyExists("creating fork: repository exists already"), }, diff --git a/internal/gitaly/service/repository/create_repository_from_url_test.go b/internal/gitaly/service/repository/create_repository_from_url_test.go index d06eec7ae..63df6ae02 100644 --- a/internal/gitaly/service/repository/create_repository_from_url_test.go +++ b/internal/gitaly/service/repository/create_repository_from_url_test.go @@ -134,7 +134,7 @@ func TestCreateRepositoryFromURL_existingTarget(t *testing.T) { require.NoError(t, os.MkdirAll(importedRepoPath, perm.GroupPrivateDir)) } else { require.NoError(t, os.MkdirAll(filepath.Dir(importedRepoPath), perm.PublicDir)) - require.NoError(t, os.WriteFile(importedRepoPath, nil, 0o644)) + require.NoError(t, os.WriteFile(importedRepoPath, nil, perm.SharedFile)) } t.Cleanup(func() { require.NoError(t, os.RemoveAll(importedRepoPath)) }) diff --git a/internal/gitaly/service/repository/fetch_remote_test.go b/internal/gitaly/service/repository/fetch_remote_test.go index 36c596379..22d52137c 100644 --- a/internal/gitaly/service/repository/fetch_remote_test.go +++ b/internal/gitaly/service/repository/fetch_remote_test.go @@ -15,6 +15,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/transaction" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" @@ -1121,7 +1122,7 @@ func TestFetchRemote_pooledRepository(t *testing.T) { // Create the pooled repository and link it to its pool. This is the // repository we're fetching into. pooledRepoProto, pooledRepoPath := gittest.CreateRepository(t, ctx, cfg) - require.NoError(t, os.WriteFile(filepath.Join(pooledRepoPath, "objects", "info", "alternates"), []byte(filepath.Join(poolRepoPath, "objects")), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(pooledRepoPath, "objects", "info", "alternates"), []byte(filepath.Join(poolRepoPath, "objects")), perm.SharedFile)) // And then finally create a third repository that emulates the remote side // we're fetching from. We need to create at least one reference so that Git diff --git a/internal/gitaly/service/repository/fsck_test.go b/internal/gitaly/service/repository/fsck_test.go index 6bf337388..bbaf8e617 100644 --- a/internal/gitaly/service/repository/fsck_test.go +++ b/internal/gitaly/service/repository/fsck_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" @@ -77,7 +78,7 @@ func TestFsck(t *testing.T) { // This makes the repo severely broken so that `git` does not // identify it as a proper repository anymore. require.NoError(t, os.RemoveAll(filepath.Join(repoPath, "objects"))) - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects"), nil, 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "objects"), nil, perm.SharedFile)) return setupData{ repo: repo, diff --git a/internal/gitaly/service/repository/gc_test.go b/internal/gitaly/service/repository/gc_test.go index 97ea88b17..b6fe71cee 100644 --- a/internal/gitaly/service/repository/gc_test.go +++ b/internal/gitaly/service/repository/gc_test.go @@ -557,11 +557,11 @@ func testCleanupInvalidKeepAroundRefs(t *testing.T, ctx context.Context) { // Create an invalid ref that should should be removed with the testcase bogusSha := "b3f5e4adf6277b571b7943a4f0405a6dd7ee7e15" bogusPath := filepath.Join(repoPath, fmt.Sprintf("refs/keep-around/%s", bogusSha)) - require.NoError(t, os.WriteFile(bogusPath, []byte(bogusSha), 0o644)) + require.NoError(t, os.WriteFile(bogusPath, []byte(bogusSha), perm.SharedFile)) // Creating the keeparound without using git so we can create invalid ones in testcases refPath := filepath.Join(repoPath, fmt.Sprintf("refs/keep-around/%s", testcase.refName)) - require.NoError(t, os.WriteFile(refPath, []byte(testcase.refContent), 0o644)) + require.NoError(t, os.WriteFile(refPath, []byte(testcase.refContent), perm.SharedFile)) // Perform the request req := &gitalypb.GarbageCollectRequest{Repository: repo} @@ -591,7 +591,7 @@ func mustCreateFileWithTimes(tb testing.TB, path string, mTime time.Time) { tb.Helper() require.NoError(tb, os.MkdirAll(filepath.Dir(path), perm.SharedDir)) - require.NoError(tb, os.WriteFile(path, nil, 0o644)) + require.NoError(tb, os.WriteFile(path, nil, perm.SharedFile)) require.NoError(tb, os.Chtimes(path, mTime, mTime)) } diff --git a/internal/gitaly/service/repository/info_attributes_test.go b/internal/gitaly/service/repository/info_attributes_test.go index 7c5ea034d..d8fe03690 100644 --- a/internal/gitaly/service/repository/info_attributes_test.go +++ b/internal/gitaly/service/repository/info_attributes_test.go @@ -30,7 +30,7 @@ func TestGetInfoAttributesExisting(t *testing.T) { buffSize := streamio.WriteBufferSize + 1 data := bytes.Repeat([]byte("*.pbxproj binary\n"), buffSize) attrsPath := filepath.Join(infoPath, "attributes") - err := os.WriteFile(attrsPath, data, 0o644) + err := os.WriteFile(attrsPath, data, perm.SharedFile) require.NoError(t, err) request := &gitalypb.GetInfoAttributesRequest{Repository: repo} diff --git a/internal/gitaly/service/repository/midx_test.go b/internal/gitaly/service/repository/midx_test.go index ce5fc108f..5d7e15c4e 100644 --- a/internal/gitaly/service/repository/midx_test.go +++ b/internal/gitaly/service/repository/midx_test.go @@ -23,6 +23,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git/stats" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/transaction" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata/featureflag" @@ -64,7 +65,7 @@ func TestMidxRewrite(t *testing.T) { // Create an invalid multi-pack-index file // with mtime update being the basis for comparison - require.NoError(t, os.WriteFile(midxPath, nil, 0o644)) + require.NoError(t, os.WriteFile(midxPath, nil, perm.SharedFile)) require.NoError(t, os.Chtimes(midxPath, time.Time{}, time.Time{})) info, err := os.Stat(midxPath) require.NoError(t, err) diff --git a/internal/gitaly/service/repository/object_format_test.go b/internal/gitaly/service/repository/object_format_test.go index 2cc8e738a..80d41c36f 100644 --- a/internal/gitaly/service/repository/object_format_test.go +++ b/internal/gitaly/service/repository/object_format_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/errors" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" @@ -144,7 +145,7 @@ func TestObjectFormat(t *testing.T) { "[extensions]", "objectFormat = blake2b", }, "\n"), - ), 0o644)) + ), perm.SharedFile)) return setupData{ request: &gitalypb.ObjectFormatRequest{ diff --git a/internal/gitaly/service/repository/remove_test.go b/internal/gitaly/service/repository/remove_test.go index 06e54c58c..d777ecdfa 100644 --- a/internal/gitaly/service/repository/remove_test.go +++ b/internal/gitaly/service/repository/remove_test.go @@ -6,6 +6,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testserver" @@ -67,7 +68,7 @@ func TestRemoveRepository_locking(t *testing.T) { // Simulate a concurrent RPC holding the repository lock. lockPath := repoPath + ".lock" - require.NoError(t, os.WriteFile(lockPath, []byte{}, 0o644)) + require.NoError(t, os.WriteFile(lockPath, []byte{}, perm.SharedFile)) defer func() { require.NoError(t, os.RemoveAll(lockPath)) }() _, err := client.RemoveRepository(ctx, &gitalypb.RemoveRepositoryRequest{Repository: repo}) diff --git a/internal/gitaly/service/repository/replicate.go b/internal/gitaly/service/repository/replicate.go index a5eb1ab11..5d442e1a2 100644 --- a/internal/gitaly/service/repository/replicate.go +++ b/internal/gitaly/service/repository/replicate.go @@ -279,7 +279,7 @@ func (s *server) syncGitconfig(ctx context.Context, in *gitalypb.ReplicateReposi } configPath := filepath.Join(repoPath, "config") - if err := s.writeFile(ctx, configPath, 0o644, streamio.NewReader(func() ([]byte, error) { + if err := s.writeFile(ctx, configPath, perm.SharedFile, streamio.NewReader(func() ([]byte, error) { resp, err := stream.Recv() return resp.GetData(), err })); err != nil { diff --git a/internal/gitaly/service/repository/replicate_test.go b/internal/gitaly/service/repository/replicate_test.go index ca10e838f..8e87ae0cd 100644 --- a/internal/gitaly/service/repository/replicate_test.go +++ b/internal/gitaly/service/repository/replicate_test.go @@ -66,7 +66,7 @@ func TestReplicateRepository(t *testing.T) { attrFilePath := filepath.Join(repoPath, "info", "attributes") require.NoError(t, os.MkdirAll(filepath.Dir(attrFilePath), perm.SharedDir)) attrData := []byte("*.pbxproj binary\n") - require.NoError(t, os.WriteFile(attrFilePath, attrData, 0o644)) + require.NoError(t, os.WriteFile(attrFilePath, attrData, perm.SharedFile)) // Write a modified gitconfig gittest.Exec(t, cfg, "-C", repoPath, "config", "please.replicate", "me") @@ -489,7 +489,7 @@ func TestReplicateRepository_FailedFetchInternalRemote(t *testing.T) { }) // We corrupt the repository by writing garbage into HEAD. - require.NoError(t, os.WriteFile(filepath.Join(sourceRepoPath, "HEAD"), []byte("garbage"), 0o666)) + require.NoError(t, os.WriteFile(filepath.Join(sourceRepoPath, "HEAD"), []byte("garbage"), perm.PublicFile)) ctx = testhelper.MergeOutgoingMetadata(ctx, testcfg.GitalyServersMetadataFromCfg(t, cfg)) @@ -532,7 +532,7 @@ func listenGitalySSHCalls(t *testing.T, conf config.Cfg) func() gitalySSHParams echo "$@" >%[1]q/arguments exec %[2]q "$@"`, tmpDir, updatedPath) - require.NoError(t, os.WriteFile(initialPath, []byte(script), 0o755)) + require.NoError(t, os.WriteFile(initialPath, []byte(script), perm.SharedExecutable)) return func() gitalySSHParams { arguments := testhelper.MustReadFile(t, filepath.Join(tmpDir, "arguments")) diff --git a/internal/gitaly/service/repository/restore_custom_hooks_test.go b/internal/gitaly/service/repository/restore_custom_hooks_test.go index f9bee0ba1..10a3a5c5e 100644 --- a/internal/gitaly/service/repository/restore_custom_hooks_test.go +++ b/internal/gitaly/service/repository/restore_custom_hooks_test.go @@ -178,32 +178,32 @@ func TestNewDirectoryVote(t *testing.T) { { desc: "generated hash matches", files: []testFile{ - {name: "pre-commit.sample", content: "foo", mode: 0o755}, - {name: "pre-push.sample", content: "bar", mode: 0o755}, + {name: "pre-commit.sample", content: "foo", mode: perm.SharedExecutable}, + {name: "pre-push.sample", content: "bar", mode: perm.SharedExecutable}, }, expectedHash: "8ca11991268de4c9278488a674fc1a88db449566", }, { desc: "generated hash matches with changed file name", files: []testFile{ - {name: "pre-commit.sample.diff", content: "foo", mode: 0o755}, - {name: "pre-push.sample", content: "bar", mode: 0o755}, + {name: "pre-commit.sample.diff", content: "foo", mode: perm.SharedExecutable}, + {name: "pre-push.sample", content: "bar", mode: perm.SharedExecutable}, }, expectedHash: "b5ed58ced84103da1ed9d7813a9e39b3b5daf7d7", }, { desc: "generated hash matches with changed file content", files: []testFile{ - {name: "pre-commit.sample", content: "foo", mode: 0o755}, - {name: "pre-push.sample", content: "bar.diff", mode: 0o755}, + {name: "pre-commit.sample", content: "foo", mode: perm.SharedExecutable}, + {name: "pre-push.sample", content: "bar.diff", mode: perm.SharedExecutable}, }, expectedHash: "178083848c8a08e36c4f86c2d318a84b0bb845f2", }, { desc: "generated hash matches with changed file mode", files: []testFile{ - {name: "pre-commit.sample", content: "foo", mode: 0o644}, - {name: "pre-push.sample", content: "bar", mode: 0o755}, + {name: "pre-commit.sample", content: "foo", mode: perm.SharedFile}, + {name: "pre-push.sample", content: "bar", mode: perm.SharedExecutable}, }, expectedHash: "c69574241b83496bb4005b4f7a0dfcda96cb317e", }, diff --git a/internal/gitaly/service/repository/snapshot_test.go b/internal/gitaly/service/repository/snapshot_test.go index 8a543c400..fe0780f08 100644 --- a/internal/gitaly/service/repository/snapshot_test.go +++ b/internal/gitaly/service/repository/snapshot_test.go @@ -46,7 +46,7 @@ func getSnapshot(tb testing.TB, client gitalypb.RepositoryServiceClient, req *gi func touch(t *testing.T, format string, args ...interface{}) { path := fmt.Sprintf(format, args...) - require.NoError(t, os.WriteFile(path, nil, 0o644)) + require.NoError(t, os.WriteFile(path, nil, perm.SharedFile)) } func TestGetSnapshotSuccess(t *testing.T) { @@ -137,7 +137,7 @@ func TestGetSnapshotWithDedupe(t *testing.T) { // Write alternates file to point to alt objects folder. alternatesPath, err := repo.InfoAlternatesPath() require.NoError(t, err) - require.NoError(t, os.WriteFile(alternatesPath, []byte(fmt.Sprintf("%s\n", alternateObjDir)), 0o644)) + require.NoError(t, os.WriteFile(alternatesPath, []byte(fmt.Sprintf("%s\n", alternateObjDir)), perm.SharedFile)) // Write another commit into the alternate object directory. secondCommitID := gittest.WriteCommit(t, cfg, repoPath, @@ -178,7 +178,7 @@ func TestGetSnapshot_alternateObjectDirectory(t *testing.T) { t.Run("nonexistent", func(t *testing.T) { alternateObjectDir := filepath.Join(repoPath, "does-not-exist") - require.NoError(t, os.WriteFile(alternatesFile, []byte(fmt.Sprintf("%s\n", alternateObjectDir)), 0o644)) + require.NoError(t, os.WriteFile(alternatesFile, []byte(fmt.Sprintf("%s\n", alternateObjectDir)), perm.SharedFile)) defer func() { require.NoError(t, os.Remove(alternatesFile)) }() @@ -193,7 +193,7 @@ func TestGetSnapshot_alternateObjectDirectory(t *testing.T) { alternateObjectDir := filepath.Join(storageRoot, "..") - require.NoError(t, os.WriteFile(alternatesFile, []byte(alternateObjectDir), 0o600)) + require.NoError(t, os.WriteFile(alternatesFile, []byte(alternateObjectDir), perm.PrivateFile)) defer func() { require.NoError(t, os.Remove(alternatesFile)) }() @@ -224,7 +224,7 @@ func TestGetSnapshot_alternateObjectDirectory(t *testing.T) { gittest.WithBranch("some-branch"), ) - require.NoError(t, os.WriteFile(alternatesFile, []byte(alternateObjectDir), 0o644)) + require.NoError(t, os.WriteFile(alternatesFile, []byte(alternateObjectDir), perm.SharedFile)) defer func() { require.NoError(t, os.Remove(alternatesFile)) }() diff --git a/internal/gitaly/service/server/info.go b/internal/gitaly/service/server/info.go index 59bd88269..bc3663ba8 100644 --- a/internal/gitaly/service/server/info.go +++ b/internal/gitaly/service/server/info.go @@ -8,6 +8,7 @@ import ( "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/storage" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/fstype" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" "gitlab.com/gitlab-org/gitaly/v15/internal/version" "gitlab.com/gitlab-org/gitaly/v15/proto/go/gitalypb" @@ -55,7 +56,7 @@ func shardCheck(shardPath string) (readable bool, writeable bool) { testPath := filepath.Join(shardPath, "+testWrite") content := []byte("testWrite") - if err := os.WriteFile(testPath, content, 0o644); err == nil { + if err := os.WriteFile(testPath, content, perm.SharedFile); err == nil { writeable = true } _ = os.Remove(testPath) diff --git a/internal/gitaly/service/smarthttp/inforefs_test.go b/internal/gitaly/service/smarthttp/inforefs_test.go index 6fabe6a21..2c08a5e88 100644 --- a/internal/gitaly/service/smarthttp/inforefs_test.go +++ b/internal/gitaly/service/smarthttp/inforefs_test.go @@ -545,7 +545,7 @@ func createInvalidRepo(tb testing.TB, repoDir string) func() { func replaceCachedResponse(tb testing.TB, ctx context.Context, cache *cache.DiskCache, req *gitalypb.InfoRefsRequest, newContents string) { path := pathToCachedResponse(tb, ctx, cache, req) - require.NoError(tb, os.WriteFile(path, []byte(newContents), 0o644)) + require.NoError(tb, os.WriteFile(path, []byte(newContents), perm.SharedFile)) } func setInfoRefsUploadPackMethod(ctx context.Context) context.Context { diff --git a/internal/gitaly/service/ssh/receive_pack_test.go b/internal/gitaly/service/ssh/receive_pack_test.go index f44446cb9..8d3e7fbbe 100644 --- a/internal/gitaly/service/ssh/receive_pack_test.go +++ b/internal/gitaly/service/ssh/receive_pack_test.go @@ -23,6 +23,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/transaction" "gitlab.com/gitlab-org/gitaly/v15/internal/gitlab" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata/featureflag" "gitlab.com/gitlab-org/gitaly/v15/internal/structerr" @@ -220,7 +221,7 @@ func TestReceivePack_invalidGitconfig(t *testing.T) { remoteRepo, remoteRepoPath := gittest.CreateRepository(t, ctx, cfg) gittest.WriteCommit(t, cfg, remoteRepoPath, gittest.WithBranch("main")) - require.NoError(t, os.WriteFile(filepath.Join(remoteRepoPath, "config"), []byte("x x x foobar"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(remoteRepoPath, "config"), []byte("x x x foobar"), perm.SharedFile)) remoteRepo.GlProjectPath = "something" lHead, rHead, err := setupRepoAndPush(t, ctx, cfg, &gitalypb.SSHReceivePackRequest{ @@ -359,7 +360,7 @@ func TestReceivePack_hookFailure(t *testing.T) { remoteRepo, _ := gittest.CreateRepository(t, ctx, cfg) hookContent := []byte("#!/bin/sh\nexit 1") - require.NoError(t, os.WriteFile(filepath.Join(gitCmdFactory.HooksPath(ctx), "pre-receive"), hookContent, 0o755)) + require.NoError(t, os.WriteFile(filepath.Join(gitCmdFactory.HooksPath(ctx), "pre-receive"), hookContent, perm.SharedExecutable)) _, _, err := setupRepoAndPush(t, ctx, cfg, &gitalypb.SSHReceivePackRequest{ Repository: remoteRepo, diff --git a/internal/gitaly/service/ssh/upload_pack_test.go b/internal/gitaly/service/ssh/upload_pack_test.go index 2dce494db..76aea6226 100644 --- a/internal/gitaly/service/ssh/upload_pack_test.go +++ b/internal/gitaly/service/ssh/upload_pack_test.go @@ -21,6 +21,7 @@ import ( "gitlab.com/gitlab-org/gitaly/v15/internal/git" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/helper/text" "gitlab.com/gitlab-org/gitaly/v15/internal/metadata/featureflag" "gitlab.com/gitlab-org/gitaly/v15/internal/sidechannel" @@ -781,7 +782,7 @@ func TestUploadPack_gitFailure(t *testing.T) { // Writing an invalid config will allow repo to pass the `IsGitDirectory` check but still // trigger an error when git tries to access the repo. - require.NoError(t, os.WriteFile(filepath.Join(repoPath, "config"), []byte("Not a valid gitconfig"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(repoPath, "config"), []byte("Not a valid gitconfig"), perm.SharedFile)) stream, err := client.SSHUploadPack(ctx) require.NoError(t, err) diff --git a/internal/gitaly/transaction/voting_test.go b/internal/gitaly/transaction/voting_test.go index 33a8ddccb..8431bc736 100644 --- a/internal/gitaly/transaction/voting_test.go +++ b/internal/gitaly/transaction/voting_test.go @@ -9,6 +9,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/backchannel" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/transaction/txinfo" @@ -207,7 +208,7 @@ func TestCommitLockedFile(t *testing.T) { VoteFn: func(context.Context, txinfo.Transaction, voting.Vote, voting.Phase) error { // This shouldn't typically happen given that the file is locked, // but we concurrently update the file after our first vote. - require.NoError(t, os.WriteFile(file, []byte("something"), 0o666)) + require.NoError(t, os.WriteFile(file, []byte("something"), perm.PublicFile)) return nil }, }, writer) diff --git a/internal/gitlab/test_server.go b/internal/gitlab/test_server.go index 89b0dad2d..c5b42ae28 100644 --- a/internal/gitlab/test_server.go +++ b/internal/gitlab/test_server.go @@ -29,7 +29,7 @@ func WriteShellSecretFile(tb testing.TB, dir, secretToken string) string { require.NoError(tb, os.MkdirAll(dir, perm.PublicDir)) filePath := filepath.Join(dir, ".gitlab_shell_secret") - require.NoError(tb, os.WriteFile(filePath, []byte(secretToken), 0o644)) + require.NoError(tb, os.WriteFile(filePath, []byte(secretToken), perm.SharedFile)) return filePath } diff --git a/internal/helper/perm/perm.go b/internal/helper/perm/perm.go index 4bb476949..869665384 100644 --- a/internal/helper/perm/perm.go +++ b/internal/helper/perm/perm.go @@ -22,4 +22,33 @@ const ( // PublicDir is the permission given for a directory that may be read or // written outside of gitaly. PublicDir fs.FileMode = 0o777 + + // PrivateWriteOnceFile is the most restrictive file permission. Given to + // files that are expected to be written only once and must be read only by + // gitaly. + PrivateWriteOnceFile fs.FileMode = 0o400 + + // PrivateFile is the permissions given for a file that must only be used + // by gitaly. + PrivateFile fs.FileMode = 0o600 + + // SharedFile is the permission given for a file that may be read outside + // of gitaly. + SharedFile fs.FileMode = 0o644 + + // PublicFile is the permission given for a file that may be read or + // written outside of gitaly. + PublicFile fs.FileMode = 0o666 + + // PrivateExecutable is the permissions given for an executable that must + // only be used by gitaly. + PrivateExecutable fs.FileMode = 0o700 + + // SharedExecutable is the permission given for an executable that may be + // executed outside of gitaly. + SharedExecutable fs.FileMode = 0o755 + + // PublicExecutable is the permission given for an executable that may be + // read or written outside of gitaly. + PublicExecutable fs.FileMode = 0o777 ) diff --git a/internal/log/hook.go b/internal/log/hook.go index 36a6c848d..96e348b42 100644 --- a/internal/log/hook.go +++ b/internal/log/hook.go @@ -7,6 +7,7 @@ import ( "path/filepath" "github.com/sirupsen/logrus" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) // HookLogger is a wrapper around *logrus.Logger @@ -24,7 +25,7 @@ func NewHookLogger() *HookLogger { return &HookLogger{logger: logger} } - logFile, err := os.OpenFile(filepath.Join(logDir, "gitaly_hooks.log"), os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o644) + logFile, err := os.OpenFile(filepath.Join(logDir, "gitaly_hooks.log"), os.O_CREATE|os.O_APPEND|os.O_WRONLY, perm.SharedFile) if err != nil { logger.SetOutput(io.Discard) } else { diff --git a/internal/safe/file_writer_test.go b/internal/safe/file_writer_test.go index dac76ff43..88e8f2107 100644 --- a/internal/safe/file_writer_test.go +++ b/internal/safe/file_writer_test.go @@ -10,6 +10,7 @@ import ( "testing" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -48,7 +49,7 @@ func TestFileWriter_mode(t *testing.T) { dir := testhelper.TempDir(t) target := filepath.Join(dir, "file") - require.NoError(t, os.WriteFile(target, []byte("contents"), 0o600)) + require.NoError(t, os.WriteFile(target, []byte("contents"), perm.PrivateFile)) writer, err := safe.NewFileWriter(target, safe.FileWriterConfig{ FileMode: 0o060, diff --git a/internal/safe/locking_directory.go b/internal/safe/locking_directory.go index 2f51e5a8e..c3baa7340 100644 --- a/internal/safe/locking_directory.go +++ b/internal/safe/locking_directory.go @@ -6,6 +6,8 @@ import ( "io/fs" "os" "path/filepath" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) type lockingDirectoryState int @@ -50,7 +52,7 @@ func (ld *LockingDirectory) Lock() error { return errors.New("locking directory not lockable") } - lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400) + lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile) if err != nil { if os.IsExist(err) { return ErrFileAlreadyLocked diff --git a/internal/safe/locking_directory_test.go b/internal/safe/locking_directory_test.go index 4d005f8d3..9af47a54b 100644 --- a/internal/safe/locking_directory_test.go +++ b/internal/safe/locking_directory_test.go @@ -9,6 +9,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" ) @@ -28,7 +29,7 @@ func TestLockingDirectory(t *testing.T) { require.NoError(t, os.WriteFile( filepath.Join(path, "somefile"), []byte("data"), - 0o644), + perm.SharedFile), ) assert.ErrorIs(t, secondLockingDir.Lock(), safe.ErrFileAlreadyLocked) require.NoError(t, lockingDir.Unlock()) diff --git a/internal/safe/locking_file_writer.go b/internal/safe/locking_file_writer.go index c43720cbe..bb52de6b2 100644 --- a/internal/safe/locking_file_writer.go +++ b/internal/safe/locking_file_writer.go @@ -5,6 +5,8 @@ import ( "fmt" "io" "os" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) type lockingFileWriterState int @@ -136,7 +138,7 @@ func (fw *LockingFileWriter) Lock() error { return err } - lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400) + lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile) if err != nil { if os.IsExist(err) { return ErrFileAlreadyLocked diff --git a/internal/safe/locking_file_writer_test.go b/internal/safe/locking_file_writer_test.go index ee75eb76d..150eba196 100644 --- a/internal/safe/locking_file_writer_test.go +++ b/internal/safe/locking_file_writer_test.go @@ -8,6 +8,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/git/gittest" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/safe" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" @@ -147,7 +148,7 @@ func TestLockingFileWriter_seedingWithExistingTarget(t *testing.T) { t.Parallel() target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("seed"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("seed"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target, safe.LockingFileWriterConfig{ SeedContents: true, @@ -165,7 +166,7 @@ func TestLockingFileWriter_modifiesExistingFiles(t *testing.T) { t.Parallel() target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("preexisting"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("preexisting"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target) require.NoError(t, err) @@ -181,7 +182,7 @@ func TestLockingFileWriter_modifiesExistingFilesWithMode(t *testing.T) { t.Parallel() target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("preexisting"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("preexisting"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target, safe.LockingFileWriterConfig{ FileWriterConfig: safe.FileWriterConfig{FileMode: 0o060}, @@ -204,7 +205,7 @@ func TestLockingFileWriter_concurrentCreation(t *testing.T) { require.NoError(t, err) // Create file concurrently. - require.NoError(t, os.WriteFile(target, []byte("concurrent"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("concurrent"), perm.SharedFile)) require.Equal(t, fmt.Errorf("file concurrently created"), writer.Lock()) @@ -216,7 +217,7 @@ func TestLockingFileWriter_concurrentDeletion(t *testing.T) { target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("base"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("base"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target) require.NoError(t, err) @@ -233,12 +234,12 @@ func TestLockingFileWriter_concurrentModification(t *testing.T) { target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("base"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("base"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target) require.NoError(t, err) // Concurrently modify the file. - require.NoError(t, os.WriteFile(target, []byte("concurrent"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("concurrent"), perm.SharedFile)) require.Equal(t, fmt.Errorf("file concurrently modified"), writer.Lock()) @@ -271,13 +272,13 @@ func TestLockingFileWriter_locked(t *testing.T) { t.Parallel() target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("base"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("base"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target) require.NoError(t, err) // Concurrently lock the file. - require.NoError(t, os.WriteFile(target+".lock", nil, 0o644)) + require.NoError(t, os.WriteFile(target+".lock", nil, perm.SharedFile)) require.Equal(t, safe.ErrFileAlreadyLocked, writer.Lock()) @@ -290,7 +291,7 @@ func TestLockingFileWriter_externalProcess(t *testing.T) { cfg := testcfg.Build(t) target := filepath.Join(testhelper.TempDir(t), "file") - require.NoError(t, os.WriteFile(target, []byte("base"), 0o644)) + require.NoError(t, os.WriteFile(target, []byte("base"), perm.SharedFile)) writer, err := safe.NewLockingFileWriter(target) require.NoError(t, err) diff --git a/internal/streamcache/cache_test.go b/internal/streamcache/cache_test.go index 46aab75b9..9a2bb3603 100644 --- a/internal/streamcache/cache_test.go +++ b/internal/streamcache/cache_test.go @@ -377,7 +377,7 @@ func TestCache_unWriteableFile(t *testing.T) { defer c.Stop() c.(*cache).createFile = func() (namedWriteCloser, error) { - return os.OpenFile(filepath.Join(tmp, "unwriteable"), os.O_RDONLY|os.O_CREATE|os.O_EXCL, 0o644) + return os.OpenFile(filepath.Join(tmp, "unwriteable"), os.O_RDONLY|os.O_CREATE|os.O_EXCL, perm.SharedFile) } r, created, err := c.FindOrCreate("key", func(w io.Writer) error { @@ -404,7 +404,7 @@ func TestCache_unCloseableFile(t *testing.T) { defer c.Stop() c.(*cache).createFile = func() (namedWriteCloser, error) { - f, err := os.OpenFile(filepath.Join(tmp, "uncloseable"), os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644) + f, err := os.OpenFile(filepath.Join(tmp, "uncloseable"), os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm.SharedFile) if err != nil { return nil, err } @@ -430,7 +430,7 @@ func TestCache_cannotOpenFileForReading(t *testing.T) { defer c.Stop() c.(*cache).createFile = func() (namedWriteCloser, error) { - f, err := os.OpenFile(filepath.Join(tmp, "unopenable"), os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644) + f, err := os.OpenFile(filepath.Join(tmp, "unopenable"), os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm.SharedFile) if err != nil { return nil, err } diff --git a/internal/streamcache/filestore.go b/internal/streamcache/filestore.go index acb756dab..03b623320 100644 --- a/internal/streamcache/filestore.go +++ b/internal/streamcache/filestore.go @@ -111,7 +111,7 @@ func (fs *filestore) Create() (namedWriteCloser, error) { return nil, fmt.Errorf("Create: mkdir: %w", err) } - f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o644) + f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, perm.SharedFile) if err != nil { return nil, fmt.Errorf("Create: %w", err) } diff --git a/internal/streamcache/filestore_test.go b/internal/streamcache/filestore_test.go index adcae98d6..cad141872 100644 --- a/internal/streamcache/filestore_test.go +++ b/internal/streamcache/filestore_test.go @@ -110,7 +110,7 @@ func TestFilestoreCleanwalk(t *testing.T) { file := filepath.Join(dir2, "file") require.NoError(t, os.Mkdir(dir1, perm.SharedDir)) require.NoError(t, os.Mkdir(dir2, perm.SharedDir)) - require.NoError(t, os.WriteFile(file, nil, 0o644)) + require.NoError(t, os.WriteFile(file, nil, perm.SharedFile)) require.NoError(t, os.Chmod(dir2, 0), "create dir with pathological permissions") require.NoError(t, fs.cleanWalk(time.Now().Add(time.Hour))) @@ -119,7 +119,7 @@ func TestFilestoreCleanwalk(t *testing.T) { fi, err := os.Stat(d) require.NoError(t, err, "directories do not get deleted") - const mask = 0o700 + const mask = perm.PrivateExecutable require.True(t, fi.Mode()&mask >= mask, "unexpected file mode %o", fi.Mode()) } diff --git a/internal/tempdir/clean_test.go b/internal/tempdir/clean_test.go index b309b178e..343d747d5 100644 --- a/internal/tempdir/clean_test.go +++ b/internal/tempdir/clean_test.go @@ -144,7 +144,7 @@ func makeFile(t *testing.T, locator storage.Locator, storage config.Storage, fil require.NoError(t, err) fullPath := filepath.Join(root, filePath) - require.NoError(t, os.WriteFile(fullPath, nil, 0o644)) + require.NoError(t, os.WriteFile(fullPath, nil, perm.SharedFile)) require.NoError(t, os.Chtimes(fullPath, mtime, mtime)) } diff --git a/internal/tempdir/tempdir_test.go b/internal/tempdir/tempdir_test.go index c0e499584..627859448 100644 --- a/internal/tempdir/tempdir_test.go +++ b/internal/tempdir/tempdir_test.go @@ -8,6 +8,7 @@ import ( "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitaly/v15/internal/gitaly/config" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper" "gitlab.com/gitlab-org/gitaly/v15/internal/testhelper/testcfg" ) @@ -27,7 +28,7 @@ func TestNewRepositorySuccess(t *testing.T) { require.NoError(t, err) require.Equal(t, tempDir.Path(), calculatedPath) - require.NoError(t, os.WriteFile(filepath.Join(tempDir.Path(), "test"), []byte("hello"), 0o644)) + require.NoError(t, os.WriteFile(filepath.Join(tempDir.Path(), "test"), []byte("hello"), perm.SharedFile)) require.DirExists(t, tempDir.Path()) diff --git a/internal/testhelper/logger.go b/internal/testhelper/logger.go index c654f959d..71ec59306 100644 --- a/internal/testhelper/logger.go +++ b/internal/testhelper/logger.go @@ -33,7 +33,7 @@ func NewGitalyServerLogger(tb testing.TB) *logrus.Logger { } path := filepath.Join(logDir, "gitaly_server.log") - f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_RDWR, 0o755) + f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_RDWR, perm.SharedExecutable) require.NoError(tb, err) tb.Cleanup(func() { require.NoError(tb, f.Close()) }) diff --git a/internal/testhelper/testhelper.go b/internal/testhelper/testhelper.go index b24416a8f..71a995a22 100644 --- a/internal/testhelper/testhelper.go +++ b/internal/testhelper/testhelper.go @@ -258,7 +258,7 @@ func WriteExecutable(tb testing.TB, path string, content []byte) string { // // We thus need to perform file locking to ensure that all writeable references to this // file have been closed before returning. - executable, err := os.OpenFile(path, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0o755) + executable, err := os.OpenFile(path, os.O_CREATE|os.O_EXCL|os.O_WRONLY, perm.SharedExecutable) require.NoError(tb, err) _, err = io.Copy(executable, bytes.NewReader(content)) require.NoError(tb, err) diff --git a/packed_binaries.go b/packed_binaries.go index f3b532aba..de99ec8b8 100644 --- a/packed_binaries.go +++ b/packed_binaries.go @@ -6,6 +6,8 @@ import ( "io" "os" "path/filepath" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) // buildDir is the directory path where our build target places the built binaries. @@ -46,7 +48,7 @@ func UnpackAuxiliaryBinaries(destinationDir string) error { }() unpackedPath := filepath.Join(destinationDir, entry.Name()) - unpackedFile, err := os.OpenFile(unpackedPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0o700) + unpackedFile, err := os.OpenFile(unpackedPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, perm.PrivateExecutable) if err != nil { return err } diff --git a/packed_binaries_test.go b/packed_binaries_test.go index d904ab28b..1c9941305 100644 --- a/packed_binaries_test.go +++ b/packed_binaries_test.go @@ -7,6 +7,7 @@ import ( "testing" "github.com/stretchr/testify/require" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) func TestUnpackAuxiliaryBinaries_success(t *testing.T) { @@ -21,7 +22,7 @@ func TestUnpackAuxiliaryBinaries_success(t *testing.T) { for _, entry := range entries { fileInfo, err := entry.Info() require.NoError(t, err) - require.Equal(t, fileInfo.Mode(), os.FileMode(0o700), "expected the owner to have rwx permissions on the unpacked binary") + require.Equal(t, fileInfo.Mode(), perm.PrivateExecutable, "expected the owner to have rwx permissions on the unpacked binary") sourceBinary, err := os.ReadFile(filepath.Join(buildDir, fileInfo.Name())) require.NoError(t, err) @@ -37,7 +38,7 @@ func TestUnpackAuxiliaryBinaries_alreadyExists(t *testing.T) { destinationDir := t.TempDir() existingFile := filepath.Join(destinationDir, "gitaly-hooks") - require.NoError(t, os.WriteFile(existingFile, []byte("existing file"), os.ModePerm)) + require.NoError(t, os.WriteFile(existingFile, []byte("existing file"), perm.PublicFile)) err := UnpackAuxiliaryBinaries(destinationDir) require.EqualError(t, err, fmt.Sprintf(`open %s: file exists`, existingFile), "expected unpacking to fail if destination binary already existed") diff --git a/tools/replace-buildid/main.go b/tools/replace-buildid/main.go index 0eab44149..369d348c4 100644 --- a/tools/replace-buildid/main.go +++ b/tools/replace-buildid/main.go @@ -16,6 +16,8 @@ import ( "io" "os" "path/filepath" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) func main() { @@ -105,7 +107,7 @@ func writeBinary(binaryPath string, contents []byte) error { f.Close() }() - if err := f.Chmod(0o755); err != nil { + if err := f.Chmod(perm.SharedExecutable); err != nil { return fmt.Errorf("could not change permissions: %w", err) } |